On Tue, Jun 1, 2021 at 8:16 AM Michael Orlitzky <m...@gentoo.org> wrote: > > On Tue, 2021-06-01 at 13:02 +0100, Peter Humphrey wrote: > > > > So what would you recommend for someone in the case Joost cites? I'm in that > > position, being a home user of a small network but no registered Internet > > name. > > > > A self-signed certificate combined with a browser extension that lets > you "pin" it. With pinning, you can keep your browser usable on the WWW > while still rejecting any forged certificates for your own hosts. The > end result works pretty much like SSH keys do.
Can't really argue with this. However, for those who aren't completely following along it is probably worth pointing out that the way you're doing it is different from how 99.999% of the way the world is doing it. So, if you're talking about securing communications between hosts you control what mjo suggests is a much better solution than the standard solution (at least security-wise). There are probably better ways to do it, but not much that is standard. However, if you're working with others then that solution isn't such a good one, as it isn't really standard. That said, it isn't uncommon for more sophisticated companies to pin certificates from their partners so that a random CA can't do an end-run around security. I have vendors I work with who regularly send out notices of pending certificate changes to technical contacts to allow for this. Really though the entire SSL CA infrastructure needs a massive overhaul. Using something like DNSSEC as a trust root would be one way to go about it. Another might be to restrict the scope that CAs could sign within and have some way to automate that. Self-signed certs aren't a good solution for the average user and no SSL is an even worse one (at best it removes security theater, but at the cost of allowing attackers to not even bother with subverting the CA system, which opens up a lot more attacks). Right now you can browse using SSL to army.mil for the first time and in theory your browser won't complain if the certificate is signed by the PLA... -- Rich