[Operators] SSL certificates / private CAs / CACert issue

Thu Mar 21 00:38:08 UTC 2013

On 12/17/2012 12:13 AM, Peter Viskup wrote:
> I do understand the role of SSL and CAs well.
> Let me share some words of one of the CACerts people (from the mailing 
> thread I post in the beginning):
> "One of the problems with CAcert: They sign certificates without any
>  assurance of the issuer - the same, what StartCom does for class 1
>  certificates, but StartCom is usually trusted by all major web browsers.
>  If CAcert would offer certificate signing *only* for assured members,
>  this would already improve security and trustworthyness, since then you
>  can be sure, that a CAcert signed certificate is issued by a *known*
>  person and not just by someone who has control over the mail server of a
>  domain."
>
> I do understand that list of trusted CAs could lead to "higher" 
> security, but if we (XMPP operators) do accept CACert or StartCom then 
> there could be no issue with accepting other CAs. What rules were 
> followed by accepting these CAs?
>
> The other case is:
> you told I am ignorant because I do not follow some standard security 
> advises and using our own CA for SSL/TLS on our public services. I 
> fully agree with the security standard and best-practices, but 
> question is - how many servers do use certificates which are not 
> signed by trusted CA in XMPP (or SMTP) world. And if the number is 
> higher than 1-10-20-40-100-1000-Idon'tknowhowmany - aren't you the 
> ignorant of the reality?
> This is the reason of the discussion - recognize how many servers are 
> using such certificates and/or certificates of CACert or other 
> low-cost/problematic CAs (StartCom, [compromised] 
> Verisign?,[compromised] whatever-else).
> ...and to come with some consensus regarding this issues on the end.
>
> Anyway the CA world in general is in crisis and there are many voices 
> calling for something which will solve all SPOFs in this design. This 
> is another grey point on the CA design which should be taken in mind.
>
> These are links to both threads:
> [1] ejabberd 
> http://lists.jabber.ru/pipermail/ejabberd/2012-December/007894.html
> [2] XMPP operators 
> http://mail.jabber.org/pipermail/operators/2012-December/001528.html
>
> -- 
> Peter Viskup
>

Dear all,
let me share the list of XMPP servers which use 'not secure' SSL certs 
on 5223 port:

bbs.docksud.com.ar CN=bbs.docksud.com.ar
jab.undernet.cz CN=Undernet.cz
jabber.dn.ua CN=ejabberd
jabber.freenet.de CN=USERTrust
jabber.od.ua CN=Mickael
jabber.org.by CN=jabber.org.by
jabber.sk CN=TECHTIS
jabber.stammtisch.it CN=jabber.stammtisch.it
jabber.ulm.ccc.de CN=jabber.ulm.ccc.de
jabber.workaround.org CN=jabber.workaround.org
jabber.yorktondigital.ca CN=John
jabberpl.org CN=Certification
jid.pl CN=jid.pl
jis.mit.edu CN=ejabberd
phcn.de CN=phcn.de
silper.cz CN=Frenky
tidesofwar.net CN=tidesofwar.net
tigase.org CN=*.default
tigase.org CN=default
xmpp.org.ru CN=jabber.ttn.ru

CN is common name of the issuer of that cert. I didn't performed deeper 
analysis. This is just not complete sight on the issue with the servers 
not using [CACert,StartSSL]-signed certs.
I wasn't able to get the certs from all servers and filtered all with 
issuer of one of these "/CAcert|StartCom|CA Cert|Thawte|RapidSSL/".
Checked 213 servers (list from jabberes.org or coccinella stats) and got 
SSL info on port 5223 from 94 servers only (openssl s_client) and 20 of 
them have installed 'wrong' certs.
Hope this helped to see the reality a little (as it is not complete :-) ).

Would be great to have a closer look on the reality with more information.

Best regards,
-- 
Peter Viskup