[CLUE-Admin] SSL cert for CLUE
David Anselmi
anselmi at anselmi.us
Sun Apr 18 14:59:22 MDT 2004
CLUE President wrote:
[...]
>>and you've got better security than buying one from FreeSSL or Verisign.
>
> I'm not following - better security in terms of what? The security of SSL is
> limited by the key length. The commercial vendors offer the perception of
> trust -- that's it.
The CA's certificate practices are just as important as key length and
algorithm strength. That is, how carefully do they check that what they
are attesting is the truth? How well do they protect their process and
private keys? How hard is it to find another CA that will attest the
same thing for someone else?
By contrast, giving CLUE members our CA cert at a meeting tells them
that yes, in fact, this is the CLUE cert because Jeff said so.
This doesn't scale for people doing e-commerce with millions that they
never want to meet but for us I think it works.
[...]
>>Of course, if no one understands how a CA works then $39 is a bargain.
>
> I'm not sure what you mean by this statement, either. Who's no one? Me?
> admins? members? everyone?
The people who run the CA. Using the out of the box openssl tools isn't
terribly convenient and good certificate practices aren't exactly
obvious either. There is http://www.openca.org/ though (cool, they're
protesting European software patents, too).
>>OTOH, why bother with a cert? What threat are we countering?
>
> In particular, our mailman users all have to send their passwords in the clear
> (Lynn and I discussed this after our mailman list admin password was
> compromised and our mailman admin page was hacked). The recommended 'fix'
> for this (from the mailman web site) is to run list admin pages through SSL.
Yes, that's a legitimate need. We care more about admin passwords than
users though, I think, and the admins can tunnel over ssh easily enough.
Or install our self-signed CA cert. There's a big difference between
providing security to admins vs. users and most of your arguments for
convenience are most relevant for users, I think.
[...]
> Then there's the issue that users may want to visit CLUE and read the pages
> without their ISP or employer proxies (or No Such Agency) monitoring where
> and what they do. I think this is a big issue. Some sites only allow SSL
> access. It's about privacy.
That doesn't seem too relevant. The whole site is public and the SSL
connection can be traced. So I don't know which pages you were looking
at but I know it was 5 out of these 50 on the CLUE web server.
>>Aren't there a dozen more immediate that we should worry about (like keeping
>>things patched)?
>
> Dave you're welcome to start working on it... Should I pencil you in for next
> weekend? :)
I'm really tempted because I feel bad that CLUE doesn't have a good
admin. That's to say that no one has time to do it, not that there's a
lack of competence.
When was the mailman admin password compromised? Do you really think it
was sniffed? That's possible if someone was using it in an untrusted
environment (coffee house wifi or something). I think it unlikely that
it was sniffed off Techangle's network, or off, say, my home or work
networks.
OTOH, the whole server could have been compromised using a remote
exploit. Not only would that do more damage than a hacked admin page,
it would be much harder to clean up.
The bottom line is that $39 buys you some convenience and an
indeterminate amount of trust. Up to you whether that is a good value
or not. On principle, I don't think that commercial CAs provide useful
security.
Some things to think about if you go forward:
The cert CN has to match the web server URL. So either
www.clue.denver.co.us or clue.denver.co.us, but not both. You also
can't use cluedenver.org and clue.denver.co.us without two different
IPs. SSL is IP based, not name based.
I was going to say that it's important to protect the cert's private
key, which it is. But it has to be available unencrypted to Apache so
beyond file permissions on the server there isn't much else to do.
Dave
More information about the clue-admin
mailing list