this post was submitted on 11 Jan 2024
44 points (100.0% liked)

Technology

58436 readers
5684 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s
[email protected]
[email protected]
[email protected]
enu
[email protected]
L4s
44
Revisiting Browser Trust - Security Now. Browser Certificate Stores and QWACs (twit.tv)
submitted 8 months ago* (last edited 8 months ago) by [email protected] to c/technology
4 comments fedilink hide all child comments
 

cross-posted from: https://infosec.pub/post/6945259

Let's talk about root certificate management and the EU proposed QWACs.

Steve Gibson of the security now podcast weighed in with opposition to the EUs proposed QWACs certs and cited a few other prominent figures also expressing opposition.

Paragraphing their concerns, they proposed that mandating a bunch of new CAs introduced more risk and greater opportunity for abuse or compromise. Steve favors less CAs also being in favor pruning out most, but 6 or 7.

At the moment, I don't care for browsers having their own certificate stores, as I would rather use the OS which I would use group policy for windows or use an automation tool for Linux.

I am also in favor of pruning out certs, though I've never tested that in an enterprise.

Does your organization allow non OS certificate stores?

Does your organization prune out default root certs?

How do you feel about the proposed QWACs?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 1 points 8 months ago

I setup our transparent proxy so we can do interception and IPS. I'm interested/concerned about the ability to use an intermediate ca cert downstream inline somewhere (like a teoco) and if regular consumer desktops would alert on that since their browser would trust the root. We GPO place our intermediate cert in the Windows trusted intermediates. I can't remember if browsing breaks without doing that.

Not really a concern if there's other certs/TLS required.in addition to the QWACs cert thought.

I got the impression the easier threat/worry was compromise of a nation CA and issuing illicit duplicate site certs, to then spoof a bank site. Still requires traffic redirection with DNS or routing though I think.