this post was submitted on 16 Dec 2024
358 points (97.9% liked)
Technology
59982 readers
3936 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related content.
- Be excellent to each another!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, to ask if your bot can be added please contact us.
- Check for duplicates before posting, duplicates may be removed
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Not at all, thank you for actually trying to answer my question instead of just telling me how it is supposed to work!
Just quickly, no I didn't wonder about the keys encryption strength, what I do wonder about is if it is overall more secure to use a "trusted" entity, than, if the browsers weren't locked down, my own home-generated signature.
I mean, if someone tries to "man in the middle", or maskerade as my website, the trusted stuff will not add any security.
If someone hacks my site, and then maskerades as me (or does their shenanigans) the trusted stuff doesn't add any security there either. They can just use my installed all set up "Trusted tm" certificate until it expires (my home made cert will expire too BTW).
So, for now, I don't see any benefit to this except the trusted entity gets to have control over it all (and earn some money).
I bet there are smarter people than me out there who knows why I'm wrong, hence all the noobie questions.
Cheers!
As long as they can obtain a certificate signed by a trusted signer for your name, you are correct. And you are touching on a real issue here. The number of trusted signers in the browser stores is large, and if only one can be tricked or compromised, then the MitM can generate a certificate your browser would trust just as well as your own original one.
then it's over anyway, yes. The signature on the certificate only validates your TLS key as being one that was properly assigned to the holder of your domain name. Once the endpoint is compromised, TLS doesn't matter anymore.
Actually maybe they aren't as locked down as you think. To my knowledge you can add your own signing key certificates to your local installation of Firefox, Chrome and the Windows cert storage. In fact there are companies who do this a lot. They Man-in-the-Middle all their employees, with a proxy that does security scanning. For this reason they will deploy their signing keys internally. So the browsers still work. You can use these mechanisms for yourself if you like.
Example documentation: https://support.mozilla.org/en-US/kb/setting-certificate-authorities-firefox