> On Jan 4, 2022, at 14:37, Michael <keybou...@gmail.com> wrote:
>
>
> On 2022-01-03, at 4:12 PM, Richard L. Hamilton <rlha...@smart.net> wrote:
>
>> The only problem with that or anything similar, is that unless you go to
>> quite a lot of work to just download rather than install the PEM file, and
>> convert it into something human readable WITHOUT installing it, and
>> investigate every certificate in there, you're trusting that the site you
>> got it from is not only legit, but is secure and hasn't been hacked to alter
>> the file to provide some very bogus certificates that could work together
>> with some sort DNS spoofing to get you to feed sensitive information (ie
>> bank passwords, etc) via an untrusted site that would capture it.
>
> Makes sense. Now, how do you go about turning a certificate into something
> human readable? Serious question, I have *never* seen this discussed anywhere.
The file that the script downloads is a whole bunch of PEM files concatenated
together. The script shows splitting that into separate files at the start
lines. Once that's done,
for file in *.pem
do
openssl -x509 -in $file -text >$file.txt
done
will convert them to something you can look at. But that's the easy part.
Looking at them and making sense of them and investigating each of the 169 will
take you a day or two, which is why I'm not going to say much more about it.
Probably IF one used a more trusted set of root certificates for comparison,
one could decide which were definitely ok and which needed further
investigation, but automating all that would NOT BE FUN.
Arguably the best solution is to get ahold of the certificates bundled in the
latest OS version and use those, but no doubt that's often easier said than
done, although you can (given enough space) download the update image on your
old hardware that cannot run it, and (given enough knowledge) dig those
certificates out of the update image and get them into a form that you can then
import into your old system.
Realistically a lot could be fixed by just using keychain access to look for
expired root certificates, and then look through one of those stashes for their
replacements. Again manually, unless you want to do some very creative
automating. I'm not volunteering to kill days or more doing that!
> Everyone just says "As long as the roots are good you can trust the chain",
> and that's never made sense to me. The whole "trust what strangers say"
> system seems more like "Find a way for companies to make money" than any good
> security system.
>
Everything has to start somewhere. Usually that's with an OS or browser vendor
that decides which root certificates to bundle. (Do you REALLY want one
planetary certificate at the tip-top provided by the UN, with all subordinate
certificate issuers (government OR commercial) rooted to that? It'd be
possible, but it's probably better trusting a bunch of different folks than
trusting one with absolute power to break everything.) -Site or personal
certificates chain back to the issuer's certificate. There are FREE CERTIFICATE
ISSUERS, but they have their own problems, chiefly no budget, so jumping all
the auditing hoops (or even keeping their infrastructure reliable) needed to
get OS and browser vendors to included them can be a problem for them. And old
OSs and the older browser versions supported on them for browsers other than
the one that comes with the OS, are not supported forever because nobody is
getting paid to do that, so they don't get updates for expired certificates,
new certificate issuers, etc.
Programmers and such gotta eat too, have a roof over their heads, etc. Some
even have little kiddies to feed, which is hardly greed, not that there's any
shortage of actual greed.
Probably that site with the bunch to download is fine, but I don't have access
to a list of baddies, so I'm at best ambivalent about trusting it without more
digging first than I'm likely to do. At most, I'd do it to make stuff that
didn't matter work on an old system, but never run anything that could lose me
$$ or compromise accounts on there - so I'd have root certificates but NOT
iCloud keychain access enabled nor any account passwords, personal
certificates, etc on it.