Foiling MITM attacks on source and ports trees
Chad Perrin
perrin at apotheon.com
Tue Jan 6 19:32:24 UTC 2009
On Tue, Jan 06, 2009 at 10:22:29AM +0100, Wojciech Puchar wrote:
> >>someone like the FreeBSD Foundation as an appropriate body to own the
> >>cert.
> >
> ><OT>
> >I would actually trust a self-signed cert by the FreeBSD security officer,
> >more then one by Verisign.
> of course.
>
> there is no need to have an "authority" to make key pairs, everybody do it
> alone.
>
> actually i would fear using such keys because i'm sure such companies do
> have a copy of both keys.
Out-of-band corroboration of a certificate's authenticity is kind of
necessary to the security model of SSL/TLS. A self-signed certificate,
in and of itself, is not really sufficient to ensure the absence of a man
in the middle attack or other compromise of the system.
On the other hand, I don't trust Verisign, either.
I believe some steps are being made by the Perpsectives [1] project that
lead in the right direction [2]. Unfortunately, it's not available at
present for FreeBSD, because the Firefox plugin depends on a binary
executable compiled from C, and my (brief) discussion with one of the
people involved in the project about the potential of porting it to
FreeBSD didn't really bear fruit.
NOTES:
[1] http://www.cs.cmu.edu/~perspectives/index.html
[2] http://blogs.techrepublic.com.com/security/?p#571
--
Chad Perrin [ content licensed OWL: http://owl.apotheon.org ]
Quoth Anonymous: "Why do we never have time to do it right, but always
have time to do it over?"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20090106/1971d5c9/attachment.pgp
More information about the freebsd-questions
mailing list