So I recently argued with our Security Guy at work, about how important it is to phase out SHA1-signed Root CA certs from our product’s root store.

My argument was like this
* it is a self-signed cert (Root CA, not intermediate)
* the way it becomes trusted is not through the signature
* the actual thing you are trusting is the public key, not the signature
* also, no browser, OS, or Java lib publishers are removing these

His argument was like this
* standards like NIST say don’t trust SHA-1 for anything important
* if we keep them, it’s not a good look for us
* we are currently not using those certs (e.g. Entrust two oldest CA’s) for anything at the moment

I asked him to explain the risk or a specific attack where breaking the signature (not the key) compromises anything, and apparently he “doesn’t have time to explain the basics to me” and I should go google it. Hmm
#sha1 #ssl #rootCA

Bei mir sehe ich in den #Android-Einstellungen von #LineageOS20 in der Sektion "Verschlüsselung & Anmeldedaten" einen ausgegrauten Menupunkt "Zertifikatsverwaltungs-App", den man nicht auswählen kann.

Was für eine App könnte man dafür nutzen? Kann man den Menupunkt irgendwie aktivieren? Oder geht das nur mit MDM?

Ich suche schon länger nach einer App, mit der man Einstellungen für aktivierte/deaktivierte sowie eigene #RootCA-Zertifikate mit root-Rechten sichern und wiederherstellen kann.

Good news: the Chinese #CA https://www.bjca.cn/ (that is currently in the process of joining the #RootCA program in all our web browsers) has confirmed they have strong technical controls that separate their root CA business from their alleged #spyware business.

Bad news: The alleged spyware business, and tge fact these are bother under control of the same business.

We have a secretive company with a lot of shady connections and no real office. Ok, there are plenty of them, you say. Yes, but the others don't operate root CAs, the businesses that secure our Internet traffic. 🚩

They also claim to provide end-to-end encrypted mail, but are able to decrypt them. 😱 Reminds me of #Anom…

What could possibly go wrong?

#RootCA #CA #TrustCor
https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/

https://scotthelme.co.uk/impending-doom-root-ca-expiring-legacy-clients/

C'est une problématique intéressante à laquelle on prête peu d'attention.

Lorsqu'on parle de machines connectées qui ne sont plus mises à jour, on pense immédiatement aux risques de sécurité que ça implique (plus de correctifs) et une incompatibilité avec de futures versions des logiciels.

1/n

#ca #rootCA #expiry #certificate #letsencrypt