[Operators] SSL certificates / private CAs / CACert issue
skupko.sk at gmail.com
Thu Mar 21 00:38:08 UTC 2013
On 12/17/2012 12:13 AM, Peter Viskup wrote:
> I do understand the role of SSL and CAs well.
> Let me share some words of one of the CACerts people (from the mailing
> thread I post in the beginning):
> "One of the problems with CAcert: They sign certificates without any
> assurance of the issuer - the same, what StartCom does for class 1
> certificates, but StartCom is usually trusted by all major web browsers.
> If CAcert would offer certificate signing *only* for assured members,
> this would already improve security and trustworthyness, since then you
> can be sure, that a CAcert signed certificate is issued by a *known*
> person and not just by someone who has control over the mail server of a
> I do understand that list of trusted CAs could lead to "higher"
> security, but if we (XMPP operators) do accept CACert or StartCom then
> there could be no issue with accepting other CAs. What rules were
> followed by accepting these CAs?
> The other case is:
> you told I am ignorant because I do not follow some standard security
> advises and using our own CA for SSL/TLS on our public services. I
> fully agree with the security standard and best-practices, but
> question is - how many servers do use certificates which are not
> signed by trusted CA in XMPP (or SMTP) world. And if the number is
> higher than 1-10-20-40-100-1000-Idon'tknowhowmany - aren't you the
> ignorant of the reality?
> This is the reason of the discussion - recognize how many servers are
> using such certificates and/or certificates of CACert or other
> low-cost/problematic CAs (StartCom, [compromised]
> Verisign?,[compromised] whatever-else).
> ...and to come with some consensus regarding this issues on the end.
> Anyway the CA world in general is in crisis and there are many voices
> calling for something which will solve all SPOFs in this design. This
> is another grey point on the CA design which should be taken in mind.
> These are links to both threads:
>  ejabberd
>  XMPP operators
> Peter Viskup
let me share the list of XMPP servers which use 'not secure' SSL certs
on 5223 port:
CN is common name of the issuer of that cert. I didn't performed deeper
analysis. This is just not complete sight on the issue with the servers
not using [CACert,StartSSL]-signed certs.
I wasn't able to get the certs from all servers and filtered all with
issuer of one of these "/CAcert|StartCom|CA Cert|Thawte|RapidSSL/".
Checked 213 servers (list from jabberes.org or coccinella stats) and got
SSL info on port 5223 from 94 servers only (openssl s_client) and 20 of
them have installed 'wrong' certs.
Hope this helped to see the reality a little (as it is not complete :-) ).
Would be great to have a closer look on the reality with more information.
More information about the Operators