this post was submitted on 02 Oct 2023
308 points (93.8% liked)
Sysadmin
7716 readers
12 users here now
A community dedicated to the profession of IT Systems Administration
No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
[email protected]
[email protected]
[email protected]
[email protected]
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
How are they not secure? You are still doing TLS to the service, maybe they have weak keys but it is still a form of secure connection.
Certs do more than encryption in transit. They are also used for protection against MitM and authentication. Self-signing removes the ability to verify a cert's authenticity.
That's bullshit. You are the one who issued the cert. You can add it to your list of trusted certificates. You just have to check that this is the right certificate.
Your man in the middle scare comes from users who ignore cert warnings and continue without checking anything.
Nope. That's the basics of PKI and scalable, secure, low-trust environments.
You can indeed do these things. But, are you and your users going to verify every cert for every request and response? That's a lot of unnecessary cognitive load and tedium, both of which are known to compromise judgement. Are you going to automate it? Ok then how are you going to verify the authenticity of a given cert?
Humans are not rational actors. Does everyone read the entire EULA? Not even close.
The problem with your statement, and why it is fallacious, is that you are not accounting for humans besides yourself. I'd even argue that you should also take your human nature into account because we all make mistakes.
Robust security postures do not require everyone to act perfectly but accept and plan for the fact that we're fallible. That is why chains and webs of trust were created, so that humans and automated services can take an approach of deference towards a less mutable "expert" on whether a claim of authenticity is trustworthy - giving them the capability and responsibility of deciding this for themselves introduces unnecessary targets for exploits.
Your man in the middle argument is invalid, no matter how much you write. Just trust youur self signed certs and you users see no difference. That's even more secure than blindly trusting the idiots from verisign.
Don't act so smug.
It really isn't and it's a significant part of why PKI exists in the first place. I've been doing this stuff professionally for over a decade and am very familiar with ISO27001, SOC2, and CIS standards, as well as generally just finding that a healthy dose of paranoia in computing keeps things more secure. Understanding how and why PKI works and is architected as it is is something that I recommend that everyone involved in technology explore.
This is problematic if a service needs to be redeployed, the cert expires, or becomes compromised, leaking its keys. In the former two scenarios, the new cert needs to be added on all of your end users' machines. If you have just a few users, sure, that's easy enough but, tedious and unnecessary. If it is a case of the latter, you now need to revoke the cert on all systems that have trusted it and deploy a new one. Again, tedious and prone to human error. Plus, you have to hope that you detect this quickly, otherwise a malicious host can harvest a lot of potentially-sensitive information, a situation easily prevented with a trusted CA.
I'm not suggesting that a public CA is the best choice for everyone or every situation. For internal use, a well-managed private CA or LE is probably a better choice, purely from a cost perspective.
I'd also like to understand why you are so hostile towards Verisign and feel better qualified in cert management. Were you or someone close to you caught up in their 2010 breach?
Not sure where this hostility is coming from. I am primarily explaining how these statements are not in line with intended use of security technologies and best practices. If you don't like currently accepted security best practices, that's absolutely your prerogative.