llvm dev - Feb 2017 - Bugzilla invalid certificate issues

EV certs attempt validate the identity of the organization that holds them.
 That is a nice assurance to have from a place that makes the thing that
compiles your code.


On February 11, 2017 at 12:28:08 PM, Stephen Checkoway (s at pahtak.org) wrote:

> On Feb 10, 2017, at 18:27, Chris Matthews via llvm-dev <llvm-dev at
lists.llvm.org> wrote:
>  
> Letsencrypt only offers domain validation certs. I think an EV cert would
be more appropriate for llvm.org.
Interesting, why do you think EV certs are more appropriate? They don't
offer any security benefits beyond those offered by DV certs. Given that much of
llvm.org isn't even currently accessible over TLS, going straight to an EV
cert seems overkill.

One nice aspect of Let's Encrypt certs is renewals are automatable so no one
needs to keep track of when a new cert is necessary.

--  
Stephen Checkoway  



-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20170213/942f57b6/attachment.html>

> On Feb 13, 2017, at 15:24, Chris Matthews <chris.matthews at
apple.com> wrote:
> 
> EV certs attempt validate the identity of the organization that holds them.
That is a nice assurance to have from a place that makes the thing that compiles
your code.
Although I appreciate that concern, downloads are currently available only via
http (or via https with a TLS cert warning about invalid common name) so any
improvement here would be good (as just happened with bugs.llvm.org)

As an aside, EV certs don't really offer a guarantee of identity validation
(indeed EV certs have been misissued in the past [1]). They're really a form
of Jackson's and Barth's "finer-grain origin" [2] which, as
they point out, isn't respected by the browser's same origin policy.
Although I'm not aware of any studies on this, I'd be shocked if even
expert users noticed that a site moved from EV certs to DV certs. There's
much more security to be had with HSTS.


1.
https://security.googleblog.com/2015/09/improved-digital-certificate-security.html
2. https://seclab.stanford.edu/websec/origins/fgo.pdf

-- 
Stephen Checkoway

On Mon, Feb 13, 2017 at 07:57:37PM -0600, Stephen Checkoway via llvm-dev
wrote:
> As an aside, EV certs don't really offer a guarantee of identity
> validation (indeed EV certs have been misissued in the past [1]).
> They're really a form of Jackson's and Barth's
"finer-grain origin"
> [2] which, as they point out, isn't respected by the browser's same
> origin policy. Although I'm not aware of any studies on this, I'd
be
> shocked if even expert users noticed that a site moved from EV certs
> to DV certs. There's much more security to be had with HSTS.
Generally, there are two visible differences:
(1) Historically, browsers used to display EV vs DV with different
colors. I think they gave up on this.
(2) The insurance sum tends to be greater.

Technically, there is no point to EV and I agree that HSTS is likely the
better deal. That said, let the admin work it out.

Joerg