Collaborate Disseminate
I tried to find a resource about how one verifies a service’s security and their claims when they are not open source. Like 1Password, they describe many good approaches that they are using to secure the password. But, without access to th… Continue reading Verifying closed-source services’ security [duplicate]
I’m using Google CA Service Provider in the Google Cloud to issue key materials on their FIPS-140-2 Level 3 HSMs (google’s service).
I intend to send the attestation bundle alongside public keys and other proofs as a CSR to a 3rd party Tru… Continue reading How to get a CA into a Trust Chain
This is partially a follow-up to the these questions:
Is visiting HTTPS websites on a public hotspot secure?
Can free Wi-Fi hotspot providers snoop on HTTPS communications?
I understand of course there this exists other ways to compromise … Continue reading What mechanisms exist to detect compromised default certificate private signing keys?
The major browsers natively trust a whole bunch of certificate authorities, and some of them are really sketchy:
Google’s Chrome, Apple’s Safari, nonprofit Firefox and others allow the company, TrustCor Systems, to act as what’s known as a root certificate authority, a powerful spot in the internet’s infrastructure that guarantees websites are not fake, guiding users to them seamlessly.
The company’s Panamanian registration records show that it has the identical slate of officers, agents and partners as a spyware maker identified this year as an affiliate of Arizona-based Packet Forensics, which public contracting records and company documents show has sold communication interception services to U.S. government agencies for more than a decade…
Continue reading An Untrustworthy TLS Certificate in Browsers
At some point, you will find yourself asking – is my device actually running the code I expect it to? [bunnie] aka [Andrew Huang] is passionate about making devices you …read more Continue reading Here’s How The Precursor Protects Your Privacy
I have a pki infrastructure for internal company use.
In this pki there are multiple registration authorities whose responsibility is to.
receive certificate issuance requests
verify the identity of the user/device/entity requesting the c… Continue reading What is the best practice for relying parties to selectively trust certificates in a corporate pki hierarchy?
We are told that the roots of trust in the PKI are the handful of
Certificate Authorities that issue root certificates and sign other certificates and ensure at least some extent of trust to be maintained on the internet.
These root certif… Continue reading Where does the root of trust actually lie?
If I have a self-signed CA certificate in my truststore, and I am sent a chain of certificates where the root CA is missing, is this a problem and if so why? Say that the last certificate in the chain is called S and is signed by CA.
If th… Continue reading Why include the root certficiate in the chain, if it is already in receiving parts’ truststore?
Let’s say that I have a single-page web app written in JavaScript and a server-side API, both changeable by me. The app calculates some values based on user input and POSTs these to the API. The values are based on user input but do not co… Continue reading Preventing users from tampering with input
openssl verify can be executed with both flag -CAfile <FILE> and -trusted <FILE>. The explanations from OpenSSL 1.1.1 manual:
-CAfile <FILE>
A file of trusted certificates. The file should contain one or more certificates… Continue reading Difference between -CAfile and -trusted in OpenSSL verify