Google launches root certificate authority

archive.is/V7fsZ

Other urls found in this thread:

reddit.com/r/netsec/comments/5qi2yx/google_trust_services_googles_new_inhouse_ca/
twitter.com/SFWRedditImages

Surely nobody is going to be stupid enough to use certificates issued by Google, right?

I want to hang myself.

They already had an intermediate CA, who gives a fuck. This has to do with securing their own infrastructure.
Also, friendly reminder that you currently have Hong Kong post office, the China certification authority, and countless other CAs that you don't trust in trusted root store.

WE MUST SECURE THE EXISTENCE OF OUR ANONYMITY AND A FUTURE FOR FREE SOFTWARE

I hate how all browsers are rigged to trust these (((certificate authorities))). Just make them all self-signed.
It's really transparent too: The agencies are obviously trivial for alphabets to take over, and over the years all major browsers have been creating FUD about self-signed certs, making it harder and harder to find the ignore button. Clearly (((someone))) is encouraging browser devs to do it.

Why wouldn't I trust the Hong Kong post office or the CCA?

But if they weren't rigged, you couldn't visit those websites. Or you could, but you'd have to be told they are insecure. I think it's a safe assumption, that SSL isn't secure anyway.

All browsers worth their weight in shit (and even those not) allow you to add/remove root certificates at will, so maybe rigged is the wrong word. But you're right.
Unfortunately, Lets Encrypt played right into the centralizers' hands there. Instead of campaigning for more self-signed certificates, some people just made their own root CA with blackjack and hookers. The problem remains unsolved.


These idiotic warnings are the real problem. Of course self-signing sites don't take off when normalfags are greeted by "OMG U MAY BE HACKED RIGHT NOW!!!!1" every time they visit one. The joke is that with the low amount of verification cert issuers perform, there is no difference between self-signed and "proper" certificates except for the pointless "verified ;)" stamp.
If browsers allowed you to keep track of self-signed certificates and warned you when they change, that would be a lot more useful.

Against active attacks by nations it certainly isn't secure because they can just issue a fake certificate with a root CA they control. I think Iran actually did that once.
Against passive attacks or smaller attackers, who knows.

2048 BROTHER

You, niggers, do not understand how TLS works.
If the certificate is self signed, there's no way to check if it's the real certificate of the website owner, or a MitM.
CAs exist precisely to solve this problem.

STALLMAN VULT

All we need now is a symbol

Wrong, you fucking sperg.

What's a certificate

Something like this maybe.

OPEN SOURCE GLOBAL FORCE

are you a fucking retard?

because they can create and sign any valid cert for TLS, that's why

I can't tell whether Google is even offering CA service here or only root certs for their own use. tl;dr

The problem is niggers trust Google more. Every time Google says "trust me goyim", all these niggers move in to suck their cock. As seen here:
reddit.com/r/netsec/comments/5qi2yx/google_trust_services_googles_new_inhouse_ca/
They think all other CA's are bad so Google must be good. We might as well just go to having only Google as the only CA, but then it would be too obvious how absurd X.509 is.


well he's right. the only proper way to do crypto is what niggers call "self signed certificates" and "cert pinning", except it's 1000x simpler (and more secure because less code) without all the X.509 infrastructure to get in the way


nope. even with CA's, there's no way to check if it's the real certificate. Sure one of 500 CA's vouched for it, but that's not any kind of proof. We could go on arguing about your latest memes like certificate transparency and whatever bullshit canaries you came up with lately, but i dont really care to explain to you. I mean why would I trust a set of 500 organizations to tell me whether I'm talking to my bank when I could just have got the key directly from my bank when I signed up (no they don't do this, but they should).

MASS SURVEILLANCE DIRECTLY FACILITATES GENOCIDE 2048 NORMIES NEED NOT APPLY


The lambda idea is cool, the name is retarded though.

Freedom(s) Lost Army?

What about something along the lines of 'Legion for Free Software'?

Because average user is too stupid to do this. And banks, unfortunately, have to work for everybody, including stupid people.
If at some time the world changes so that only clever people may have money, then maybe it'll change too.

In the same fucking post, Christ.

When they see it for the first time, what do they do?
Blindly trust?

FSM: Free Software Militia

How can I remove Google's certificates if that happens? It would be a feature for their websites to not work.

You should be able to just delete their entry in /etc/ssl/cert.pem or wherever your OS stores that stuff.

By rigged I mean:

The whole model is confusing integrity with consistency. Fags claim CAs are necessary to verify that dragondildos.com really belongs to Dragon Dildo LLC. But there's no magic identity verification, so you just end up trusting some unknown, unaccountable third party that don't give a shit about you and colludes with dangerous bad faith organizations.

The only thing worth using certs for is to make sure that dragondildos.com you're visiting today is the same old dragondildos.com that you've been visiting every day for years and have come to know and trust. The first time you visit a new site, there is no fucking safety net, cucks need to understand. You manually vet the website yourself depending on your expertise/social network/comfort/trust level. If you decide you trust it then you save the cert and then on repeat visits you don't need to re-do the vetting process because nothing has changed.

CAs is basically outsourcing this vetting process to some faceless, evil org. WTF. I understand maybe trusting your relative or your best friend to take care of your computer security if you're retarded, but you have a reason to trust those people. CAs are just fucking stupid.


Yes the warnings are cancer. It's not even the tone of the warning, you can just tell normalfags "it's okay man who do you trust more me your good friend or this pos browser made by some faggots you don't know?". The problem is that they keep hiding the link, making it tiny, burying it under several clumsy buttons so that if you are completely okay with a self-signed cert ignoring the warning is very tedious to the point of being unusable.

And I don't understand this fucking stupid concept that CA verified is better than self-signed. How is trusting a group of people (CA+cert creator) better than trusting a single person (self-signed)? Lol, the CA could just swap out the cert for the site outright and your cuck browser would tell you everything is fine because the CA said so.


When you visit a site for the first time, you need to worry about man on the end attack before you kvetch over MitM.


This. Of course there is a way, it's called researching the site, the owner, their reputation and using your fucking brain to decide. But of course your browser can't just do that for you.


User needs to use other channels to independently verify, then tell browser whether to trust or no. Eg. if a bank, I would expect to be able to call the bank's tech support and ask them if they are in control of domain so and so, and verbally confirm cert fingerprint. if they convince me, I save cert. If not, don't save, close account, call cops.

SLF: Software Liberation Front

Even if you can't verify the authenticity, its still a much better chance of not being intercepted than no TLS at all.

Yeah, and it's because you are stupid.

sure

do some research before posting, please. don't pollute Holla Forums with pajeet-tier crap.

do you know how many gchq tapping operation are/were in hong kong/singapore?

oh but they do, and the amount of vpns that use google fucking dns (which uses the 8.8.8.8 private range which borders on the fucking nsa private ranges).

they were telling the turks to use google dns to get onto twitter as the best alternative dns, of course it is backdoored so the nsa could monitor the web traffic under erdogan's government.

mad fucking sus doesn't cover it.

OpenSSH got host verification right.


What's fucked is that even if you trust a self-signed certificate for a site then a rogue CA that your browser trusts by default could MitM and issue their own certificate for the site.

nice


do you?


you're literally complaining that the numbers are too similar?
wait until you find out who invented the internet

god you are such a cocksucking fagface why don't you just leave this board and kys

what does any of this have to do with Al Gore?

Well systemd defaults to using google dns, so it can't be that bad :^)

So what's a worse DNS, Google or your shithead ISP?

Both are worse.

Google worst because they use DNS queries from your IP to track you everywhere you go. Some ISPs do too but most don't.