[erlang-questions] SSL: "unknown ca"
Sat Jan 31 02:37:19 CET 2015
On 2015年1月31日 土曜日 02:13:39 e@REDACTED wrote:
> On 01/31/2015 02:09 AM, PAILLEAU Eric wrote:
> >> trusted by WHOM?
> >> what particular application makes a decision to throw me an error?
> > Trusted by you for sure.
> pardon me, i think puns are not very productive.
> > The error is raised by openssl.
> well, i guess there MUST BE a way to suppress this "wise" behavior.
> is there any docs, describing relations between erlang's "ssl" and
> openssl? how is it called? when? and what options are fed to openssl?
> maybe there is plain and simple switch "do not verify"?
This has been the reality sand in the CA pudding since the beginning.
You have a choice: verify every CA yourself (which pretty much relegates you
to only using CAs you or people you actually know generate), or trust the
general bundle that groups like OpenSSL, Mozilla, Google, Microsoft, etc.
generally trust together.
It usability issue.
Every time you hit an HTTPS site or use TLS you are trusting a CA in one of
those bundles that came with your OS or distro or browser. You are almost
definitely doing that right now to retrieve and read this message.
If, for example, you remove all the CAs from your browser's cache because you
don't trust them, then your view of the web will break -- because nothing that
requires 3rd party verification will work anymore. No more HTTPS, no more TLS.
While it is indeed possible to comb through the CAs by hand and cull the ones
you don't trust, this quickly becomes a practically futile demonstration of
stubborness instead of an activity that will enhance security. Not everyone
even understands what a CA is, so its not an option open to any other than the
technically inclined -- which is at the heart of the (every?) security
Which brings us back to usability.
In the case of specific business applications or infrastructure you or people
you actually know have set up, creating your own constellation of CAs is
entirely reasonable and indeed more secure than trusting a giant bundle of
hundreds of CAs, the provenance of which nobody can actually prove. But this
is CAs for your own little world, your private, self-secured part of the
network. That is not a solution for anything outside of your control, and that
is most of the internet.
Its a tradeoff. In any case, you are better equipped to make decisions for
yourself if you understand that certificates do not by themselves actually
equate to security of the form people commonly believe. That's not a reason to
stop using the internet, but it is something to bear in mind.
More information about the erlang-questions