Re: ca-certificates: no more cacert.org certificates?!?

To: debian-devel@lists.debian.org
Subject: Re: ca-certificates: no more cacert.org certificates?!?
From: Holger Levsen <holger@layer-acht.org>
Date: Tue, 1 Apr 2014 12:01:25 +0200
Message-id: <[🔎] 201404011201.27979.holger@layer-acht.org>
In-reply-to: <[🔎] E1WUszb-0007bm-Qz@swivel.zugschlus.de>
References: <1722468.nyLnYD01gx@debstor> <87ha6edl8d.fsf@windlord.stanford.edu> <[🔎] E1WUszb-0007bm-Qz@swivel.zugschlus.de>

Hi,

On Dienstag, 1. April 2014, Marc Haber wrote:
> I have to agree on that. But a Startcom Certificate on a personal web
> site is one web site more that doesn't train users to blindly click
> away certificate warnings. A cacert certificate or a self-signed
> certificate on a personal web site is one web site more that does that
> kind of training.

so what? SSL is broken by design, "trusting" anything based on an SSL 
certificate is foolish at best. any CA (of which there are hundreds enabled in 
browsers and system libraries by default) can sign any certificate and most 
(all?) tools won't complain/detect this.

so in a way, training not to trust these certs is the best one can do :)

cheers,
	Holger, who wishes banks would push gpg & monkeysphere for https

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

References:
- Re: ca-certificates: no more cacert.org certificates?!?
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

Prev by Date: Re: Bug#743282: ITP: apt-get-snapshot -- Download a specific package version from snapshot.debian.org
Next by Date: --> APT's New Version <--
Previous by thread: Re: ca-certificates: no more cacert.org certificates?!?
Next by thread: Re: default messaging/VoIP client for Debian 8/Jessie
Index(es):
- Date
- Thread