On 03/14/14 19:56, Julian Oliver wrote: > ..on Fri, Mar 14, 2014 at 10:46:30AM -0700, Lucas Gonze wrote: >> Let's say web servers auto generated self-signed certificates for any >> domain that didn't supply its own certificate, likely one from an authority. >> >> What that would accomplish is to make the stream unreadable over the wire, >> unless the attacker was willing and able to do an MITM with their own auto >> generated self-signed certificate. >> >> It would not be hard to do that MITM, but it would be orders of magnitude >> more expensive than copying unencrypted bytes off the router. It would not >> be practical to do the MITM against a large portion of traffic. The >> attacker would have to pick their targets. > >> >> Thoughts? >
> > It would be good if Debian and other popular GNU/Linux LAMP distributions made > OpenSSL/TLS key generation (and set up of a VirtualHost template for :443) an > encouraged option during an Apache installation (OpenSSL is a dependency > anyway). It could be a simple walkthrough with Qs for CN and admin email, > abstracting over the classic and ungainly: > > openssl req -new -x509 -days 365 -nodes -out > /etc/ssl/localcerts/apache.pem -keyout /etc/ssl/localcerts/apache.key > One could also automatically derive the DNSSEC-DANE TLSA record from that server certificate and mail it to the sysadmin. Include a paragraph that explains that by publishing that record, the site has stronger protections against MitM-attacks than possible with CA-bought certificates. (the downside is that user need to install the Extended-DNSSEC-Validator plug in). Regards, Guido. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.