nmh-workers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] TLS certificate validation

From: Jeffrey Honig
Subject: Re: [Nmh-workers] TLS certificate validation
Date: Sat, 24 Sep 2016 12:43:55 -0400

On Sat, Sep 24, 2016 at 11:18 AM, Ken Hornstein <address@hidden> wrote:
The _code_ to do verify a certificate chain in OpenSSL is relatively
straightforward; I'm not worried about writing that.  But sadly, the
configuration for all of that is lousy, and you start to see why web
browsers ship with their own set of root certificates.  A brief survey
suggests to me that common open-source systems do not ship a set of
popular commercial root certificates.  That would require people to get
root certificates ... and while I can imagine that SOME people, here
especially, would bother to do that, let's be honest: most people WON'T.
As we've seen, a lot of people don't use replyfilter despite it being
around for 4 years and something everyone complains about.  So it would
be a fair amount of code that few people would use, and even less know
about.

Any system that does not maintain up-to-date certificates is just broken; an invitation for security vulnerabilities to be exploited in situations where expired or revoked certificates can be exploited.  Validating the certificate chain should be the default and any other option available should come with language that strongly discourages their use.  Doing anything else would be giving people a false sense of security.

reply via email to
[Prev in Thread] Current Thread [Next in Thread]