Valid vs Invalid SSL certificates - Was: Re: ISPDB configs without STARTTLS and/or SSL

Andrew Sutherland asutherland at asutherland.org
Wed Jan 23 16:27:59 UTC 2013


On 01/23/2013 08:37 AM, Tanstaafl wrote:
> While I understand the reasoning, I'm *very* interested in your 
> response to ace's last reply about how the use of the Certificate 
> Patrol extension combined with a properly installed self-signed cert 
> is actually more secure than using a trusted cert issued by a CA 
> (without the Cert Patrol extension installed)...

I agree with Ace's statement, although I would probably qualify that 
with the statement that you really want to manually verify the hash of 
the key when first accepting it.


> Also, it sounds like, in your last comment about 'certificate 
> pinning', that you are describing a similar but less functional method 
> for dealing with changed certs than Cert Patrol uses... so, why not 
> just incorporate its functionality instead of reinventing the wheel?

If the code is Apache 2.0 licensed/compatible or the authors are willing 
to re-license, whatever code is reusable seems like a good thing to 
reuse.  Judging from the AMO comments, it seems like the extension may 
have problems with server farms where not all machines use the same 
certificate, so it might not be a slam dunk and new code might need to 
be written to try and generalize the certificate to a specific CA-chain 
before alerting, etc.

Another interesting Firefox certificate extension is convergence: 
http://www.convergence.io/index.html

Andrew
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.mozilla.org/pipermail/tb-planning/attachments/20130123/956a47fe/attachment.html>


More information about the tb-planning mailing list