> Security by obscurity -- that's the ticket.
No, I'm not hiding them, 700, but I have made them just root executable,
as everything in {/user,}/sbin should be, IMO. And nobody has mentioned
any circumstance where a user NEEDS to run them.
> It's a little more work to import it into, say, the set of recognised
> authorities stored in a user's Firefox profile. But probably not
> much... it's trivial to do from the browser itself, and can probably
> be automated using some of the tools provided by NSS.
So I believe. A few times a year I visit a site, and get a pop-up that
the certificate has expired, do I want to accept a new certificate,
temporarily or permanently. I look at it, they LOOK OK, but I'm always
concerned about spoofing.
> and any hacker will just use those tools directly. All you'd be
> gaining is a false sense of security...
I'm not terribly concerned about a hacker per se, these are home
computers. But there are (sneaky) ways the user (me) can be tricked.
Happens all the time. I'm trying to avoid making that easier than it
has to be.
> - The third place (I know) is a file in Berkeley DB format in
> $HOME/.mozilla/firefox/.../cert8.db. In that file, the user can
> include certificates using the "preference" menu of firefox. He or
> she does not need the scripts on the "Certificate authority
> certificates" page...
OK. Where do they come from originally? It's been some years, but I
don't believe I installed them on earlier builds.
> I do not know whether a site can access that file to include its own
> certificate, without the user knowing. But certainly, the user can
> include any certificate in it, and this is desirable...
And certainly the user can be tricked into installing one. I don't
mean to sound paranoid, it's just that "social engineering", i.e.
trickery, is (one of) the most common way of getting malware introduced
to a system.
> Full responsibility to assess them belongs to the local system
> administrator."
>
> But they do not tell how to assess...
Yes. And so we are vulnerable.
--
Paul Rogers
[email protected]
Rogers' Second Law: "Everything you do communicates."
(I do not personally endorse any additions after this line. TANSTAAFL :-)
--
http://www.fastmail.com - Accessible with your email software
or over the web
--
http://lists.linuxfromscratch.org/listinfo/blfs-support
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
