You are talking about browser fuckary, not openvpn. Openvpn uses the hierarchical PKI of x509, but has no default "trusted" CAs.
x509 is a pretty workable system (I refuse to call it "good.") > On Mon, Aug 25, 2014 at 1:22 PM, Richard Pieri <[email protected]> > wrote: >> It's not that I hate OpenVPN. It's that I hate key escrow systems. Hated >> them since the early 1990s. I hate them because they're single points of >> compromise for entire systems. I hate them because compromise is >> undetectable by users. > > It's not that X.509 file format is the problem per se, it's the > browser Root CA infrastructure that has been built upon it, that is > used by most non-browser SSL apps too. > > In the Public CA infrastructure, most any sub-CA cert signed by any > cert traceable to any browser Root CA can issue a MITM cert to > impersonate any specific FQDN or *.someone.TLD . If the system was > fit for purpose, should the Hong Kong Postal Authority or the > stolen/compromised CA key be able to issue *.BLU.org certs that are > trusted? No. As is, would you know if they did? Not immediately, > maybe never. > > Combine that with the weak nature of DNS and BGP security and any > sufficiently advanced opponent -- either state-sponsored or > organized-crime -- can beat SSL, at least against targeted or regional > users. > > [ Add in how we like URL shorteners with cutely irrelevant 2L national > TLDs like .LY .IE .US .CO .NU .TV that are property of governments > that might be either amenable to official or corrupt requests, and > it's only easier to divert traffic. ] > > Unpatched systems might still accept cancelled compromised-CA-key > signed forgeries today. > (The CRL won't save them, it can be blocked by an aggressive adversary > with local or regional DNS/BGP poisoning ability, which is needed for > most MITM anyway ! ) > > -- > Bill Ricker > [email protected] > https://www.linkedin.com/in/n1vux > _______________________________________________ > Discuss mailing list > [email protected] > http://lists.blu.org/mailman/listinfo/discuss > _______________________________________________ Discuss mailing list [email protected] http://lists.blu.org/mailman/listinfo/discuss
