Re: tailscale ..impressive
By: Digital Man to Phigan on Sun Jun 04 2023 01:39 pm
> https://security.stackexchange.com/questions/119551/are-there-master-keys-th
> at-can-be-used-to-generate-valid-ssl-keys
That link doesn't really contradict anything I'm saying :)
For a certificate or key pair to be "valid" you just have to trust the authority
that signed it/them. We call SSL certificates used for websites and things as "
valid" because they have been signed by one of the certificate authorities that
we all have stored in our operating systems and browsers, the ones we trust. It'
s technically possible for any of them to have master keys to the certificates t
hey generate and sign, but as the response in the link says, it's highly unlikel
y they would go using those willy nilly.
Other applications, especially those where the client and the server are proprie
tary, don't have to follow any rules about trusted authorities. The same company
could write the client and server, generate and sign the certificates, and prom
ise you end to end encryption. You have no guarantee that there isn't a master k
ey. Even when the client and server are open source, the certificate signing stu
ff often isn't.
---
■ Synchronet ■ TIRED of waiting 2 hours for a taco? GO TO TACOPRONTO.bbs.io
|
