• pinknoise
    link
    fedilink
    arrow-up
    6
    arrow-down
    1
    ·
    3 years ago

    You certainly didn’t miss anything, but the certificate isn’t any more dodgy than that of any other site.

    • ttmrichter
      link
      fedilink
      arrow-up
      5
      arrow-down
      2
      ·
      3 years ago

      Self-signed certificates are too silly to bother with. Might as well go straight http if you’re going to go self-signed.

      A CA-signed cert reduces the chance of a bad actor between me and the target site. A self-signed cert opens the door to trivial MitM attacks.

      • pinknoise
        link
        fedilink
        arrow-up
        6
        arrow-down
        1
        ·
        3 years ago

        A CA-signed cert reduces the chance of a bad actor between me and the target site.

        Because bad actors that can hijack your traffic are unable to get a fake certificate signed?!

        A self-signed cert opens the door to trivial MitM attacks.

        How would that be?

        • ttmrichter
          link
          fedilink
          arrow-up
          3
          arrow-down
          1
          ·
          3 years ago

          Getting a fake certificate signed requires state level opposition or entities with that level of resources, and frankly if your opposition is state level, you’re fucked anyway.

          Self-signed certs let Jimmy-Joe-Bob’s Rifle Range and Real Good Hacker Script Kiddie Ring fake you out in minutes.

          • pinknoise
            link
            fedilink
            arrow-up
            2
            ·
            edit-2
            3 years ago

            Getting a fake certificate signed requires state level opposition or entities with that level of resources

            Yeah like I said, if they can hijack your traffic, they can easily get a fake cert signed.

            Self-signed certs let Jimmy-Joe-Bob’s Rifle Range and Real Good Hacker Script Kiddie Ring fake you out in minutes.

            How? They would have to steal the CA key and could only impersonate the site with the self signed cert. (At least if you don’t add it to your certificate store)

            • ttmrichter
              link
              fedilink
              arrow-up
              2
              ·
              3 years ago

              The cert is self-signed. There is by definition no CA key! Anybody accessing that sight, unless they did something phenomenally stupid, is going to have to validate access by self-signed cert on each access. And that means that any MitM isn’t going to flag any alarms … because they’d be inserting themselves as a self-signed cert.

              • pinknoise
                link
                fedilink
                arrow-up
                1
                ·
                3 years ago

                The cert is self-signed. There is by definition no CA key!

                Sure, it’s even in the terminology you use self-signed. They used their own CA to sign the certificate.

                And that means that any MitM isn’t going to flag any alarms

                The fingerprints are going to change and it will be signed by another CA. So MitM-attempts are pretty obvious.

                • ttmrichter
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  3 years ago

                  Are you thick or are you trolling? (Serious question.)