Le 26/03/2015 01:39, Paul Rogers a écrit :
Paul, your tone is super aggressive, or so it looks like in
written form.
I'm sorry, Emanuele, that isn't my intent. I'm just very, very
frustrated. I do like to run a secure, hardened, but still usable
system. It's not my habit to put things out that invite mischief.
All the responses have been dismissive "don't worry about it". The
direct question I asked, "Does anyone know of a legitimate reason a user
would need to do this, e.g. like having a private key ring," has never
been addressed.
The point is, if the certificates used by the browser are in a read-
only location, then the script is harmless, and if the browser can
For the record: I get all that! I completely understand. OK? I don't
need to be told, again. It only adds to the frustration.
But let me point out an assumption you're making: "if the certificates
used by the browser are in a read-only location". What's the "if not",
"otherwise", part of it? In fact, are those the ONLY certificates a
browser/email client would use? What if the user had his/her own
"certificates"? I don't know for sure. I don't think I want a user to
have any certificates--if they might be used they're dangerous, if
they'd never be used, there's no reason to have them.
Hi Paul,
Thanks for clarifying your point, and sorry if I did not understand
sooner: my regular language is not English...
I think the beginning of the wikipedia entry is a good place to start:
"Trusted certificates are typically used to make secure connections
<http://en.wikipedia.org/wiki/Transport_Layer_Security> to a server over
the Internet. A certificate is required in order to avoid the case that
a malicious party which happens to be on the path to the target server
pretends to be the target. Such a scenario is commonly referred to as a
man-in-the-middle attack
<http://en.wikipedia.org/wiki/Man-in-the-middle_attack>. The client uses
the CA certificate to verify the CA signature on the server certificate,
as part of the checks before establishing a secure connection. Usually,
client software—for example, browsers—include a set of trusted CA
certificates. That makes sense in as much as users need to trust their
client software: A malicious or compromised client can skip any security
check and still fool its users into believing otherwise."
There are three places I know where client applications look for CA
certificates. On BLFS systems they are:
- /etc/ssl (used by applications using ssl, such as openssX, gnutls, and
some mail programs)
- $JAVA_HOME/jre/lib/security (for java apps, as you might have guessed)
Both are read-only locations for normal users, of course. Unless client
applications are themselves malicious (see above), there is no way to
have them look into other places. If users have the programming skills
to modify clients like firefox or java, they can as well write simple
scripts to manipulate certificates: that is not the hard part, and they
would not need ours...
- The third place (I know) is a file in Berkeley DB format in
$HOME/.mozilla/firefox/.../cert8.db. In that file, the user can include
certificates using the "preference" menu of firefox. He or she does not
need the scripts on the "Certificate authority certificates" page...
I do use it to include certificates for the CNRS (French national center
for scientific research) web sites. I do not know whether a site can
access that file to include its own certificate, without the user
knowing. But certainly, the user can include any certificate in it, and
this is desirable...
I am not sure, but it seems to me that the weakness in the
ca-certificate (and PKI more generally) system, is if a publicly
accessible repository is compromised, or if a company with a trusted
certificate does things that show we should not have trusted them (as
described in the link you have given).
Actually, this is what Debian says about its ca-certificate packages:
"Please note that Debian can neither confirm nor deny whether the
certificate authorities whose certificates are included in this package
have in any way been audited for trustworthiness or RFC 3647 compliance.
Full responsibility to assess them belongs to the local system
administrator."
But they do not tell how to assess...
Pierre
--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
