this post was submitted on 17 Nov 2023
-6 points (20.0% liked)

Security

674 readers
2 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

  1. All instance-wide rules apply.
  2. Keep it totally legal.
  3. Remember the human, be civil.
  4. Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 1 year ago
MODERATORS
-6
submitted 1 year ago* (last edited 1 year ago) by Rick_C137 to c/security
 

Hi,

If you don't know how work the chain of trust for the httpS

You might want to watch this video https://invidious.privacydev.net/watch?v=qXLD2UHq2vk ( if you know a better one I'm all ears )

So in my point of view this system have some huge concerns !

  1. You need to relies to a preinstalled store certificate in your system or browser... Yeah but do you know those peoples ??!! it might seem weird, but actually you should TRUST people that YOU TRUST/KNOW !!

Here an extract from the certificate store om Firefox on Windows.

I do not know ( personally ) any of those COMMERCIAL company !

  1. Of course we could use Self-certificate but this is not protecting against Man-in-the-middle_attack . Instead of using a chain (so few 3th party involved , so increasing the attack surface ! ) why not using something simpler !? like for example
  • a DNS record that hold the HASH of the public key of the certificate of the website !
  • a decentralized or federated system where the browser could check those hash ?

Really I don't understand why we are still using a chain of trust that is

  1. not trusted
  2. increase the surface of attack
  3. super complex compare to my proposals ?

Cheers,

Why I don't use the term SSLBecause actually httpS now use TLS not anymore ssl https://en.wikipedia.org/wiki/Transport_Layer_Security

you are viewing a single comment's thread
view the rest of the comments
[–] RonSijm 6 points 1 year ago (3 children)

Really I don’t understand why we are still using a chain of trust that is

It would basically be mutually assured destruction if one of these trusted root certificates would hand out false certificates. If evidence comes to light that a Root Certificate Authority creates false certificates or can't be trusted somehow, they get delisted. For example, look up "TrustCor" - they were too closely tied to US intelligence that everyone (Mozilla, Microsoft, Google, Apple) removed them as trusted CAs

a DNS record that hold the HASH of the public key of the certificate of the website !

How are you getting that record safely, over the internet? There's DNS cache poisoning and other attack vectors on DNS related services that would still let you MITM https.

Systems that rely on you to go on the internet to check if the internet is safe can just as well be compromised. How do you ensure the "internet based trust lookup" can be trusted?

[–] Rick_C137 -2 points 1 year ago (2 children)

So maybe the solution relies trough a blockchain ?

or something that from scratch mind privacy, and decentralization ? Like TOR

[–] RonSijm 2 points 1 year ago (1 children)

So maybe the solution relies trough a blockchain ?

I don't really see how that would help - but maybe you can elaborate how a blockchain solution would help?

[–] v9CYKjLeia10dZpz88iU -2 points 1 year ago* (last edited 1 year ago)

Domains depend on cryptographic keys instead of a group of trusted companies. There are blockchain solutions that exist already. [Ethereum Name Service, Namecoin, etc] The problem becomes determining if the client has the correct blockchain or has enough proof that the retrieved records from the blockchain are accurate.

They're not really necessary though, as the current system has worked very well.