Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://foggyminds.com/objects/c6ef095f-2067-3cec-eb68-c9d650862052">shiri (shiri@foggyminds.com)'s status on Wednesday, 20-Nov-2024 05:00:38 JST</a><a href="https://foggyminds.com/profile/shiri" title="shiri@foggyminds.com"><img src="https://gnusocial.jp/theme/gnusocialjp/default-avatar-stream.png" width="48" height="48" alt="shiri" style="position: absolute; left: 0; top: 0;">shiri</a><div><ul><li><li><a href="https://gnusocial.jp/user/22153" title="silverwizard@convenient.email">silverwizard</a></li></ul></div></section><article><p><a href="https://convenient.email/profile/silverwizard">@silverwizard</a> <a href="https://mastodon.neilzone.co.uk/users/neil">@neil</a> has anyone actually established a better system really?</p><p>Not going to argue that LE doesn't have it's problems, or even just the underlying SSL system in general.</p><p>LE thanks to ease and being free without much "competition" it has the crucial problem of hosting far too high a proportion of the the certs for the whole internet.</p><p>SSL in general has the problem of CAs getting hacked and issuing fraudulent certs.</p><p>Only improvement I can think of in that security at all is maybe double-certified certificates? (require you to go through two wholly separate providers with the same key to have a valid key and requiring both to sign for any updates to go through and maybe a certificate chain for whenever it changes hands)</p><p>Beyond that it's always a cludge, people aren't going to check them themselves, they're not going to manage certificates themselves... so you just have a preauthed group of keys installed in your system, trust them to be above board, and then trust the providers of those keys to be above board. Honestly shocked we haven't had more issues, but that's kinda how security goes.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4030639#notice-7876848">In conversation</a><time datetime="2024-11-20T05:00:38+09:00" title="Wednesday, 20-Nov-2024 05:00:38 JST">about 6 months ago</time> <span>from <span><a href="https://gnusocial.jp/notice/7876848" rel="external" title="Sent from gnusocial.jp via ActivityPub">gnusocial.jp</a></span></span><a href="https://gnusocial.jp/notice/7876848">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
shiri (shiri@foggyminds.com)'s status on Wednesday, 20-Nov-2024 05:00:38 JSTshiri
- Neil Brown
- silverwizard
@silverwizard @neil has anyone actually established a better system really?
Not going to argue that LE doesn't have it's problems, or even just the underlying SSL system in general.
LE thanks to ease and being free without much "competition" it has the crucial problem of hosting far too high a proportion of the the certs for the whole internet.
SSL in general has the problem of CAs getting hacked and issuing fraudulent certs.
Only improvement I can think of in that security at all is maybe double-certified certificates? (require you to go through two wholly separate providers with the same key to have a valid key and requiring both to sign for any updates to go through and maybe a certificate chain for whenever it changes hands)
Beyond that it's always a cludge, people aren't going to check them themselves, they're not going to manage certificates themselves... so you just have a preauthed group of keys installed in your system, trust them to be above board, and then trust the providers of those keys to be above board. Honestly shocked we haven't had more issues, but that's kinda how security goes.
In conversationabout 6 months ago from gnusocial.jppermalink

Public

Embed Notice

HTML Code

Corresponding Notice