[erlang-questions] SSL: "unknown ca"

zxq9 zxq9@REDACTED
Sat Jan 31 02:37:19 CET 2015


On 2015年1月31日 土曜日 02:13:39 e@REDACTED wrote:
> On 01/31/2015 02:09 AM, PAILLEAU Eric wrote:
> >> trusted by WHOM?
> >> what particular application makes a decision to throw me an error?
> > 
> > Trusted by you for sure.
> 
> pardon me, i think puns are not very productive.
> 
> > The error is raised by openssl.
> 
> well, i guess there MUST BE a way to suppress this "wise" behavior.
> is there any docs, describing relations between erlang's "ssl" and
> openssl? how is it called? when? and what options are fed to openssl?
> 
> maybe there is plain and simple switch "do not verify"?

This has been the reality sand in the CA pudding since the beginning.

You have a choice: verify every CA yourself (which pretty much relegates you 
to only using CAs you or people you actually know generate), or trust the 
general bundle that groups like OpenSSL, Mozilla, Google, Microsoft, etc. 
generally trust together.

It usability issue.

Every time you hit an HTTPS site or use TLS you are trusting a CA in one of 
those bundles that came with your OS or distro or browser. You are almost 
definitely doing that right now to retrieve and read this message.

If, for example, you remove all the CAs from your browser's cache because you 
don't trust them, then your view of the web will break -- because nothing that 
requires 3rd party verification will work anymore. No more HTTPS, no more TLS. 
Poof!

While it is indeed possible to comb through the CAs by hand and cull the ones 
you don't trust, this quickly becomes a practically futile demonstration of 
stubborness instead of an activity that will enhance security. Not everyone 
even understands what a CA is, so its not an option open to any other than the 
technically inclined -- which is at the heart of the (every?) security 
conundrum.

Which brings us back to usability.

In the case of specific business applications or infrastructure you or people 
you actually know have set up, creating your own constellation of CAs is 
entirely reasonable and indeed more secure than trusting a giant bundle of 
hundreds of CAs, the provenance of which nobody can actually prove. But this 
is CAs for your own little world, your private, self-secured part of the 
network. That is not a solution for anything outside of your control, and that 
is most of the internet.

Its a tradeoff. In any case, you are better equipped to make decisions for 
yourself if you understand that certificates do not by themselves actually 
equate to security of the form people commonly believe. That's not a reason to 
stop using the internet, but it is something to bear in mind.



More information about the erlang-questions mailing list