> Paul, your tone is super aggressive, or so it looks like in > written form.
I'm sorry, Emanuele, that isn't my intent. I'm just very, very frustrated. I do like to run a secure, hardened, but still usable system. It's not my habit to put things out that invite mischief. All the responses have been dismissive "don't worry about it". The direct question I asked, "Does anyone know of a legitimate reason a user would need to do this, e.g. like having a private key ring," has never been addressed. > The point is, if the certificates used by the browser are in a read- > only location, then the script is harmless, and if the browser can For the record: I get all that! I completely understand. OK? I don't need to be told, again. It only adds to the frustration. But let me point out an assumption you're making: "if the certificates used by the browser are in a read-only location". What's the "if not", "otherwise", part of it? In fact, are those the ONLY certificates a browser/email client would use? What if the user had his/her own "certificates"? I don't know for sure. I don't think I want a user to have any certificates--if they might be used they're dangerous, if they'd never be used, there's no reason to have them. > install a new certificate in a writable location, then the script is > irrelevant. Am I missing something? (My knowledge on this topic is > almost zero.) It appears to me these scripts could be used to create CA Certificates, (and who knows how trustworthy those might be) in a user's ~/.ssl where perhaps openssl and/or a browser would accept them, quite possibly ushering malware onto the system--that quess who will have to clean up if I can. Is that impossible? I don't know, is it? If so, why is this such a big issue as I read about just today. http://www.pcworld.com/article/2901812/microsoft-blacklists-latest-rogue-ssl-certificates-mozilla-mulls-sanctions-for-issuer.html#tk.rss_all I guess I need to go get new certificates now. -- Paul Rogers [email protected] Rogers' Second Law: "Everything you do communicates." (I do not personally endorse any additions after this line. TANSTAAFL :-) -- http://www.fastmail.com - Access all of your messages and folders wherever you are -- http://lists.linuxfromscratch.org/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
