Valid vs Invalid SSL certificates - Was: Re: ISPDB configs without STARTTLS and/or SSL
asutherland at asutherland.org
Wed Jan 23 16:27:59 UTC 2013
On 01/23/2013 08:37 AM, Tanstaafl wrote:
> While I understand the reasoning, I'm *very* interested in your
> response to ace's last reply about how the use of the Certificate
> Patrol extension combined with a properly installed self-signed cert
> is actually more secure than using a trusted cert issued by a CA
> (without the Cert Patrol extension installed)...
I agree with Ace's statement, although I would probably qualify that
with the statement that you really want to manually verify the hash of
the key when first accepting it.
> Also, it sounds like, in your last comment about 'certificate
> pinning', that you are describing a similar but less functional method
> for dealing with changed certs than Cert Patrol uses... so, why not
> just incorporate its functionality instead of reinventing the wheel?
If the code is Apache 2.0 licensed/compatible or the authors are willing
to re-license, whatever code is reusable seems like a good thing to
reuse. Judging from the AMO comments, it seems like the extension may
have problems with server farms where not all machines use the same
certificate, so it might not be a slam dunk and new code might need to
be written to try and generalize the certificate to a specific CA-chain
before alerting, etc.
Another interesting Firefox certificate extension is convergence:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tb-planning