On 1/6/21 12:45 pm, J. Roeleveld wrote:
> On Saturday, May 29, 2021 8:26:57 AM CEST Walter Dnes wrote:
>> On Sat, May 29, 2021 at 03:08:39AM +0200, zca...@gmail.com wrote
>>
>>> 125 config files in /etc/ssl/certs needs update.
>>>
>>> For certificates I would expect the old and invalid ones to be replaced
>>> by newer ones without user intervention.
>> Looking through them is "interesting". There seem to be a lot of
>> /etc/ssl/certs/.0 files, where "?" is either a random number or
>> a lower case letter. These all seem to be symlinks to
>> /etc/ssl/certs/.pem. Each of those files is in turn a
>> symlink to /usr/share/ca-certificates/mozilla/.crt. How much
>> do we trust China? There are a couple of certificates in there named
>> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_1.crt and
>> /usr/share/ca-certificates/mozilla/Hongkong_Post_Root_CA_3.crt. Any
>> other suspicious regimes in there?
> I've always wondered about the amount of CAs that are auto-trusted on any
> system. Including several from countries with serious human rights issues.
>
> I could do with a tool where I can easily select which CAs to trust based on
> country.
>
> --
> Joost
And another "wondering" - all the warnings about trusting self signed
certs seem a bit self serving. Yes, they are trying to certify who you
are, but at the expense of probably allowing access to your
communications by "authorised parties" (such as commercial entities
purchasing access for MITM access - e.g. certain router/firewall
companies doing deep inspection of SSL via resigning or owning both end
points). If its only your own communications and not with a third,
commercial party self signed seems a lot more secure.
Getting a bit OT, but interesting none the less.
BillK
Ref:
https://checkthefirewall.com/blogs/fortinet/ssl-inspection
https://us-cert.cisa.gov/ncas/alerts/TA17-075A
