regarding ssl certificates

John Tulp johntulp at tulpholdings.com
Fri Mar 15 05:58:28 EET 2019


On Thu, 2019-03-14 at 15:08 +0100, Stephan von Krawczynski via dovecot
wrote:
> On Thu, 14 Mar 2019 09:51:14 -0400
> Phil Turmel via dovecot <dovecot at dovecot.org> wrote:
> 
> > On 3/14/19 7:40 AM, Stephan von Krawczynski via dovecot wrote:
> > 
> > > Sorry I have to write this, but this is again pointing people in a fake
> > > security direction.  
> > 
> > You should be sorry, because you are wrong.
> > 
> > > The only valid authority for a certificate is the party using it. Any third
> > > party with unknown participants cannot be a "Certificate Authority" in its
> > > true sense. This is why you should see "Let's Encrypt" simply as a cheap
> > > way to fake security. It is a US entity, which means it _must_ hand out all
> > > necessary keys to fake certificates to the US authorities _by law_.  
> > 
> > Certificate authorities, including Let's Encrypt, operate on Certificate 
> > Signing Requests, not Private Keys.  Some CAs do offer private key 
> > generation in their services for the user's convenience, but it is not 
> > recommended (obviously) and in no way required.  Getting a CA to sign a 
> > CSR in no way exposes keys to that CA, and therefore not to any government.
> > 
> > While there are weakness in the CA trust system, they aren't anything 
> > related to replacing a snakeoil cert with one from Let's Encrypt.
> > 
> > [rest of ignorant rant trimmed]
> 
> Some facts for you, as obviously you have not understood what a CA is worth
> that is compromised by either hackers or "authorities".
> If you want to know more, read articles about closing of CA DigiNotar, like:
> https://en.wikipedia.org/wiki/DigiNotar
> 
> Then read US export laws concerning security devices.
> Then judge your US-issued certs...
>  
> > Phil
> 
I concur Stephan; I apologize to others if I seem ignorant.

Just an FYI, a founder of Let's Encrypt, and host of it's website is
Akamai, which also hosts nsa.gov, cia.gov, etc.  Akami principal
founders were a US guy and a US/Israeli spy guy.

I once did a traceroute on the mailserver that sent me an email (from a
bank); the route went over to Europe, to Virginia, back to Europe, then
back to me (in the US).  It made me laugh it was so obvious.  The bank's
service provider that provided the email service ?  Akamai.

Any time you're using the "internet", well, let's just say that many
very intelligent people are quite naive when it comes to internet
security.

Encryption is just really not that much of a barrier any more.

Developers are always told "don't roll your own encryption".  Well, to
even set up encryption software (algo selection, etc.), it's something
that is beyond most of us.  I always try to do at least some minimal
research to see "what's what", and with encryption it always boils down
to having very low confidence that what I'm setting up would take more
than a few minutes for a serious "invader" to totally break through.

Encryption is being used to promote a false sense of security.

It could only be more obvious if NSA directly sold certificates
themselves.  I'm sure there would be many very intelligent folks who
would happily purchase them and think they were the greatest thing since
sliced bread.

To close rant, in my humble opinion sure, encrypt if you like, give it
your best effort, but don't assume that anything is "secure".



More information about the dovecot mailing list