[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apt sources.list

On Mon, Apr 17, 2023 at 12:45 AM <tomas@tuxteam.de> wrote:
>
> On Sun, Apr 16, 2023 at 09:20:22PM -0400, Jeffrey Walton wrote:
>
> [...]
> > > Corporations don't need browser cooperation for Data Loss Prevention
> > > (DLP) (but they already have it). Corporations just run an
> > > interception proxy, like NetSkope. The NetScope Root CA is loaded into
> > > every browser trust store. The application will terminate all traffic,
> > > inspect it, and forward the request if it looks innocuous.
> >
> > To be clear... The NetSkope Root CA is loaded into browsers for
> > computers owned by the corporation. I.e., part of the corporation's
> > standard image.
>
> Heh. You made me search for it in my browser's root CA store ;-)
>
> Anyway, your points are all valid. I do recommend to have a look
> at the browser's default root CA store before saying "you're safe
> with TLS". This is just marketing. TLS is but one tool.

Yeah, I call it the "CA Zoo." The Browsers will let just about anyone
into the store. All you need to do is check the boxes. If interested
in the day-to-day operations, subscribe to Mozilla's
dev-security-policy list at
https://groups.google.com/a/mozilla.org/g/dev-security-policy. It is
where CAs come to join the store.

There are some efforts to reduce the risk from the CA Zoo. For
example, VISA restricts the list as detailed at
https://developer.visa.com/pages/trusted_certifying_authorities .
VISA's list is 41 in size. It is better than the 150+ in Mozilla's and
Chrome's lists.

> Don't get me wrong: I think widespread use of TLS is a Good Thing.
> But going about it as if it was Redemption is paternalistic to the
> point of being counterproductive.
>
> Security is a process, not a product, as Schneier says.

Jeff
Reply to: