08.17.22

Gemini version available ♊︎

Transport Layer Security (TLS) is Fine, Centralised Certificate Authorities (CAs) Are Not

Posted in Deception, Security at 3:19 pm by Dr. Roy Schestowitz

Video download link | md5sum b147528fd1ea28881ed4578632fbd8b7
War on Decentralised Internet and Computing
Creative Commons Attribution-No Derivative Works 4.0

Summary: There’s a lot of misconception/misunderstandings about what the Certificate Authorities (CAs) are, what they’re for, how they work, and why they don’t actually tackle the biggest security and privacy problems, they’re mostly about centralisation of control and outsourcing of “trust” from pertinent sites/services to monopolies, empires, and oligarchs

SOME days ago someone was “[s]houting out to @tuxmachines to check your server. SSL certificate-based error messages are flying…”

This was not unforeseen. A lot of people sadly believe what Web browsers tell them, not bothering to take into account the agenda promoted by such Web browsers. It’s about control and centralisation, it’s not about security and/or privacy. A “malicious Web site can easily get a TLS certificate from a CA and turn the padlock on your browser green and go ahead and load,” DaemonFC reminds us. “And it’s still a malicious Web site.”

“Let’s Encrypt even admits that they do nothing to protect you from a malicious Web site, and suggest reporting those to Google and Microsoft,” DaemonFC adds.

“A lot has happened since then, notably Russia’s invasion of Ukraine, which resulted in a lot of censorship inside Russia, by Russia, and against Russia.”Those who say that getting a ‘good’ certificate is ‘free’ may be missing the point. It is like buying a ‘secure’ boot certificate from Microsoft on the ‘cheap’ (until the OEMs toss them out). We wrote about this in relation to Certificate Authorities before, with focus on the “big fish”, Let’s Encrypt [1, 2, 3], or LE.

The video above revisits this subject. A lot has happened since then, notably Russia’s invasion of Ukraine, which resulted in a lot of censorship inside Russia, by Russia, and against Russia. Now that the centralised systems are in place, censorship is vastly stronger. Is this security???

A given Gemini address is accessible so long as there’s a certificate in place, even a self-signed one (vouching for oneself). The same model ought to have been adopted for the Web. For online banking it would help if banks sent expected fingerprints, e.g. by post. Outsourcing to monopolies isn’t the way to go.

“Outsourcing to monopolies isn’t the way to go.”Readers might correctly spot the resemblance or notice the similarity to UEFI ‘secure’ boot. First they start with recommendations, saying it is all about security and enhancing safety. And then intimidation, seeking compliance from people who disregard the recommendations. Finally, they resort to outright locking out (blocking) anything that is not submissive, e.g. after 90% or more have already surrendered. So this is a form of blackmail for lock-down, initially marketed as a well-meaning security scheme. They’re insincere about motives. Nothing here is “free”…

Right now, after we’ve witnessed expansion in Web censorship, we believe stronger resistance will be needed by explaining to people what’s happening. Remember that this is not about security; it’s all about control and one day revoking certificates can be weaponised further and further, just like DNS-level censorship, denial of ClownFlare access, and so on. They typically start with “pirates”, “terrorism”, and “the children” before resorting to political angles. CAs can very easily and immediately be leveraged for outright censorship.

“Finally, they resort to outright locking out (blocking) anything that is not submissive, e.g. after 90% or more have already surrendered.”In the video above I remind people that the Linux Foundation‘s LE has already revoked millions of cerificates before (without even properly explaining what had happened!) and it’ll happen again sooner or later. Maybe at some point they’ll just decide to revoke all LE certificates for Russian sites, citing some political “sanctions”. Then what? Who’s next?

As an associate noted yesterday, “those that control the signing authorities can issue revocations at any time they feel like it and for any reason they feel like…”

In the case of Debian, we recently saw how trademarks get leveraged to censor criticism and hide problems. They just confiscate critics’ Web sites. Maybe we’ll do a video about this soon, seeing that the debian.community site is now succeeded by debian.day and debian.news. It’s a namespace battle in DNS.

DaemonFC concludes: “The only thing that HTTPS does do is help keep what you do to interact with the server private from outsiders, and that is important. But if you fall for a site claiming to be your bank because it has a green padlock, that doesn’t help you avoid a scam. One of the reasons I used to promote HTTPS Everywhere to everyone was because I believed the user should have the option to try to force it on with as many sites as possible. But I never would have argued for a system where HTTP is basically deprecated without TLS and browsers try to say there’s something wrong with accessing such a Web site if you don’t mind your information between your browser and that site remaining private. It’s a good “upgrade”. It is. It stops things like the Man-In-The-Middle Attacks that Comcast was using in order to spam its customers and inject advertisements into Web pages. So that’s why I started using it. I thought it was outrageous that wherever I went, here’s Comcast injecting alerts about data usage or ads for their TV package into my Google searches. HTTPS breaking that is a happy side-effect of what it does.”

“I was big on the idea of bringing CACert into the certificates package used by Mozilla, but they always found some bullshit reason not to. Like, they didn’t even want to talk about it. The whole situation with certificates is a legacy of Netscape. All of the old “players” that are really valuable and “trusted” by just about everything started out that way because Netscape Corporation put them in the Netscape Navigator browser. Then Microsoft came along with their stolen Internet Explorer product (they stiffed Spyglass Mosaic and then didn’t pay them) and lobbed all the same certificates in so that sites working in Netscape Navigator would also load in Internet Explorer. And then the tragedy just kept expanding from there. Opera had to throw all the same certificates in because they’ve never had more than 2% of the browser market. The user has really no control over how this works. It’s always been 100% Big Business. From Netscape to Microsoft to Apple and Google.”

“Remember when they had that Diginotar CA that was compromised? An entire CA! They had to revoke and remove an entire CA. What a mess that was. Everything in that “chain of trust” was broken and all the sites that used it had to get new certificates, and many Windows and Mac developers got caught with their pants down and had security alerts warning the users not to install the software that the OS was saying “THIS IS FINE!” about yesterday. That was hilarious, and sad. Sad because everyone watched what ensued and nothing was fixed. They revoked one CA and caused all sorts of Hell, but it could happen with any of them.”

They still push this very same agenda for software, not only Web sites, various services (including IRC), and booting.

MinceR then said that “PKI as a whole is badly designed.”

Share in other sites/networks: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Reddit
  • email

Decor ᶃ Gemini Space

Below is a Web proxy. We recommend getting a Gemini client/browser.

Black/white/grey bullet button This post is also available in Gemini over at this address (requires a Gemini client/browser to open).

Decor ✐ Cross-references

Black/white/grey bullet button Pages that cross-reference this one, if any exist, are listed below or will be listed below over time.

Decor ▢ Respond and Discuss

Black/white/grey bullet button If you liked this post, consider subscribing to the RSS feed or join us now at the IRC channels.

DecorWhat Else is New


  1. IRC Proceedings: Tuesday, October 04, 2022

    IRC logs for Tuesday, October 04, 2022



  2. Links 05/10/2022: PL/Haskell 1.0 and RapidRows 1.0 Released

    Links for the day



  3. Links 04/10/2022: Introducing NVK, Kueue, Stellarium 1.0, WordPress 6.1 Beta 3, and OpenSSH 9.1

    Links for the day



  4. Linux Foundation Events Now 'Run' by Linux's Biggest Foe

    The Linux Foundation expresses gratitude, upfront, to only one company: Microsoft



  5. IRC Proceedings: Monday, October 03, 2022

    IRC logs for Monday, October 03, 2022



  6. Links 04/10/2022: Tor Project Board and Conflicts of Interest, More Politics

    Links for the day



  7. Microsoft Windows Sinks to Just 16% of the African Market

    As we noted yesterday, Windows is down sharply this month (27.1% market share worldwide) and the decreases are very significant in Africa, where Android (Linux-based) is spreading fast. Here’s a chart for Africa, showing Microsoft’s decrease to about 16%.



  8. IRC Widgets Working Again

    After turbulence and technical issues at KiwiIRC we've managed to get a semi-working solution or some workaround



  9. Trolled by Microsoft's Lennart Poettering and Bought by Wintel

    Last week’s public appearance by Torvalds seemed reluctant and a tad embarrassing (the media pointed out the awkwardness, too); whose idea was that, the Linux Foundation‘s?



  10. Links 03/10/2022: Git 2.38.0 and cinnabar 0.6.0rc1

    Links for the day



  11. Links 03/10/2022: OpenMandriva ROME Gold Candidate and IceWM 3.0.0

    Links for the day



  12. Members of the Administrative Council of the EPO Are Asked to Summon a Conference of Ministers of the Contracting States Due to Violations of the Law

    The EPO has turned into a farcical operation that laughs at the law, abuses its own staff, and lies to both staff and "customers" in the official Web site



  13. European School The Hague (ESH) Faces a Crisis and Families of EPO Workers Are Harmed Profoundly

    The European School The Hague (ESH) is not functioning like it’s supposed to; people who migrated (seeking a job) along with family members for an EPO position aren’t pleased (to say the least) and they request if not demand to speak with EPO management



  14. [Meme] Lowering the Bar With Nations That Barely Have Any European Patents (Close to Zero)

    The EPO has totally lost the plot; it completely neglected its mission in pursuit of money and optics



  15. Links 03/10/2022: GNU Linux-Libre 6.0

    Links for the day



  16. IRC Proceedings: Sunday, October 02, 2022

    IRC logs for Sunday, October 02, 2022



  17. Update on SeaMonkey 2.53.14 and NoScript Crashes/Palefills Not Working

    Reprinted with permission from Ryan



  18. Links 03/10/2022: Linux 6.0 is Out

    Links for the day



  19. GNU/Linux and the GPL in Particular Are Under Attack Because They Spread Fast (Like a 'Cancer')

    The good news is that GNU/Linux continues to expand (widespread usage); the bad news is, it has come under a sheer magnitude of attacks and the media barely bothers to mention the obvious



  20. Windows Majority in Asia Down to Just Three Countries, All-time Low for Windows Worldwide This Month

    The decline of Microsoft Windows continues; sooner or later Android (Linux inside) will be dominant in almost every country in terms of its market share or number of users



  21. Links 02/10/2022: Debian on Firmware Policy and PostgreSQL 15 RC 1

    Links for the day



  22. Links 02/10/2022: KStars 3.6.1 and DjangoCon Europe 2022

    Links for the day



  23. IRC Proceedings: Saturday, October 01, 2022

    IRC logs for Saturday, October 01, 2022



  24. Fedora 37 and SeaMonkey 2.53.14

    Reprinted with permission from Ryan



  25. 'Linux' Foundation, While Hoarding Over $200,000,000 Per Year, Calls Itself 'Non-Profit'

    This video (10:55-11:28 above), which was published a few weeks ago, gives insight into how much money the Linux Foundation and its proxies raise per year while paying Jim Zemlin [cref =164412 probably about $1.4 million per year already] (because it’s all so charitable)



  26. GNU/Linux Rises to Record Highs in Africa This Past September

    According to this map and these latest plots (based on data from about 3,000,000 Web sites), Windows majority is long lost in Africa and (‘proper’) GNU/Linux usage keeps rising (not just Android, which uses Linux)



  27. Ongoing Efforts to Convince OSI to Drop the Microsoft Funding (Which Comes With Strings, Such as the OSI Attacking the GPL)

    It's becoming increasingly clear that buzzwords and hype get misused to misframe and distract from abuses; we're meanwhile trying to convince the Open Source Initiative (OSI) to drop Microsoft because it pays the OSI for a disinformation campaign (portraying large-scale GPL violations as "AI")



  28. Richard Stallman on Libre Software

    Richard Stallman on Libre Software from LispNYC on Vimeo.



  29. IBM's Lobbying for (and Stockpiling of) Software Patents is Ruining Fedora and GNU/Linux in General

    Fedora suffers from software patents, hence it removes features while IBM lobbies for such patents and gives software patents to patent trolls (in patent sales)



  30. Microsoft Doesn't Like Open Source; It's Badmouthing, Stereotyping, Attacking It (to Shift Blame)

    This week I found out that a dear old friend lost all his money (about 150,000 pounds) due to a Microsoft LinkedIn scam; watch how Microsoft blames unpopular nation states, “open source”, the victims, and attackers (basically anyone but Microsoft), just as it does when defects in its software go unfixed for months


RSS 64x64RSS Feed: subscribe to the RSS feed for regular updates

Home iconSite Wiki: You can improve this site by helping the extension of the site's content

Home iconSite Home: Background about the site and some key features in the front page

Chat iconIRC Channel: Come and chat with us in real time

Recent Posts