[Tracker-discuss] Pseudo protection of b.p.o from MITM

[anatoly techtonik]

On Tue, Apr 22, 2014 at 4:22 AM, Stephen J. Turnbull <stephen at xemacs.org> wrote:
> Anatoly, don't you know that cross-posting is a bad idea?[1]  If you
> disagree with the management of bugs.python.org, tracker-discuss is
> the right place to post.

SSL certificates is not a question related to tracker, but a question related
to infrastructure.

>  > The b.p.o uses CAcert certificate that was never valid on Windows
>
> Of course it was valid, it was simply not trusted by default.  Given
> Microsoft's historical aversion to "free" anything, that's a
> completely null signal.

CAcert certificates on b.p.o are invalid, because they do not fulfill their
purpose - providing protected channel.

If self-signed certificates and compromised certificates present on b.p.o
are also be valid for you, let's use word "insecure". Hopefully, that's
better.

> Perhaps it's worth moving to a different free root authority, or maybe
> even (gasp!)  paying for a well-known commercial certificate, but you
> need to find one that satisfies the technical requirement posted by
> Martin -- namely, that certs for a particular host should *not* allow
> escalation of privilege to all hosts in the python.org domain.  (Note
> that if we use a commercial service this probably becomes rather
> expensive.)  There may be other requirements I don't know about.

Can you post a link with description how certificate for
bugs.python.org can escalate privileges to other python.org
subdomains?

> Personally, since I think that the X.509 architecture is broken at the
> top in practice (why is Verisign trustworthy? how about the Chinese
> National Network Information Center? or the Japanese Ministry of
> Education (my employer)? yet most systems -- including Windows --
> default to trusting any certificate issued by any of them), having a
> root cert that seems trustworthy to me, yet isn't trusted by default,
> allowing me to *choose* to assign an appropriate amount of trust to
> bugs.python.org, seems to be the most secure option.
>
> I don't know if it's any better than a self-signed cert, of course.

The biggest problem that you and bugs.python.org teaches users that
broken security certificate for a site is norm. They think that it just an
annoyance, so they remove the nag and click further.

If people don't care, any PyCon can be used to gather accounts to
use for more profitable attacks.

>  > I disapprove the decision of these people
> What else is new?

I provided an explanation why?

>  > and hope that somebody from python community can change their
>  > convoluted understanding of security.
>
> Security *is* convoluted, and your own understanding of it seems to
> be limited since you misuse technical terms like "valid" (there's a
> difference between "cannot be validated" and "not valid").

I am not Englishman. That's all.

> Footnotes:
> [1]  Among other things, it makes it likely that the ban on your
> participation will be extended.

You don't like criticism, so it's no place for me anyway, and I still
don't understand people who ban other people just because these
other people are grumpy.
-- 
anatoly t.