[Noisebridge-discuss] New SSL key for noisebridge

Jacob Appelbaum jacob at appelbaum.net
Wed Jan 28 22:53:02 UTC 2009


Hi,

Today I received an email from RapidSSL/GeoTrust that we were still
using a weak Debian key. They threatened to revoke our key if we didn't
re issue it.

I find this incredibly frustrating as I've tried a number of times to do
a re-issue, the most recent was on January 25th, 2009. Each time I tried
to revoke and reissue the certificate, the reissue system simply did not
work. I'd follow through all of the crazy hoops, all the way down the
rabbit hole and eventually I'd hit a dead end. No ability to enter a new
CSR and no where else to go. A totally incompetent revocation services.

I tried emailing their support contact address and I received no reply.
Great customer service! I'm super pleased I pay money to these people to
be ignored.

Today, I tried again and amazingly their system worked. They're also
finally signing with SHA-1 rather than (broken for years) MD5. I assume
this happened within a few hours of our presentation at the 25c3 but I
hadn't reissued my own certs to see this first hand.

Anyway, as a result of all of this, we have a new SSL cert on
www.noisebridge.net and it no longer has all of the issues that the old
one had. Some of those issues were known and obvious, some were not
known very well and were less obvious.  As for the new certificate: It
looks like they still use sequential serial numbers, so not much has
really changed. They do not appear to be practicing defense in depth in
any visible way, they merely use SHA-1. I guess you could count their
systems barely working but I don't think that they can help it.

In the near future, I'll make a wiki page that discusses the history of
our little key and why it's interesting enough to warrant a wiki page.

As for a future bike shed issue...

We'll need a new certificate in mid March. What shall we do?

If it isn't clear, I think that (SSL/X.509) commercial certificate
signing is a total racket. It's dominated by a bunch of cartels (such as
Verisign) who pay big bucks to get their root into browsers and into
shipping operating systems. The certification processes are flawed and
they speak nothing of trust in a meaningful way. These companies can
hardly run their own websites. We're talking about websites that handle
business relating to their core business competency! I consider their
failures pretty shameful and I feel dirty giving these companies my
money. I feel even worse giving them Noisebridge funds that we all have
worked hard to raise.

I think that if we're going to keep playing "use-certs-signed-by-a-ca"
we should use CA Cert:
http://www.cacert.org/

They'll issue us certs for free and they're run by a community. Slowly
but surely, they're being accepted into browsers and popular operating
systems. I know many of the people involved (in Austria) and they're
totally awesome. Very talented, skilled and community oriented. They're
building real webs of trust. We can help them by using their services,
they'll help us by removing the cost component; verification is pretty
much the same all around. It seems win win.

Unless we want to give the cartels money to tell us that we're safe when
there's next to nothing backing it up, I suggest we go with CA Cert.

Best,
Jake



More information about the Noisebridge-discuss mailing list