#certificateauthorities — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #certificateauthorities, aggregated by home.social.
-
Just about the entire internet uses certificate authorities to establish trust. Here, a simple old-school social engineering trick broke this trust and allowed hackers to get signed certificates from DigiCert for their malware.
There is a better way to establish certificate trust that doesn't rely on a 3rd party, and it's free too. It's called DANE, which binds the trust directly to the Domain Name System by using DNSSEC. DANE is ideal for code signing certificates (and other uses), but is overlooked.
This attack is virtually impossible under DANE. A vulnerable support person is of no use. Hackers would need to directly compromise the target's DNS infrastructure, the registrar, and the top-level domain authority. All three. Nearly impossible compared to just finding some dupe at the CA in a public chat room.
https://hackread.com/hackers-digicert-issue-certificates-sign-malware/
-
Just about the entire internet uses certificate authorities to establish trust. Here, a simple old-school social engineering trick broke this trust and allowed hackers to get signed certificates from DigiCert for their malware.
There is a better way to establish certificate trust that doesn't rely on a 3rd party, and it's free too. It's called DANE, which binds the trust directly to the Domain Name System by using DNSSEC. DANE is ideal for code signing certificates (and other uses), but is overlooked.
This attack is virtually impossible under DANE. A vulnerable support person is of no use. Hackers would need to directly compromise the target's DNS infrastructure, the registrar, and the top-level domain authority. All three. Nearly impossible compared to just finding some dupe at the CA in a public chat room.
https://hackread.com/hackers-digicert-issue-certificates-sign-malware/
-
Just about the entire internet uses certificate authorities to establish trust. Here, a simple old-school social engineering trick broke this trust and allowed hackers to get signed certificates from DigiCert for their malware.
There is a better way to establish certificate trust that doesn't rely on a 3rd party, and it's free too. It's called DANE, which binds the trust directly to the Domain Name System by using DNSSEC. DANE is ideal for code signing certificates (and other uses), but is overlooked.
This attack is virtually impossible under DANE. A vulnerable support person is of no use. Hackers would need to directly compromise the target's DNS infrastructure, the registrar, and the top-level domain authority. All three. Nearly impossible compared to just finding some dupe at the CA in a public chat room.
https://hackread.com/hackers-digicert-issue-certificates-sign-malware/
-
Just about the entire internet uses certificate authorities to establish trust. Here, a simple old-school social engineering trick broke this trust and allowed hackers to get signed certificates from DigiCert for their malware.
There is a better way to establish certificate trust that doesn't rely on a 3rd party, and it's free too. It's called DANE, which binds the trust directly to the Domain Name System by using DNSSEC. DANE is ideal for code signing certificates (and other uses), but is overlooked.
This attack is virtually impossible under DANE. A vulnerable support person is of no use. Hackers would need to directly compromise the target's DNS infrastructure, the registrar, and the top-level domain authority. All three. Nearly impossible compared to just finding some dupe at the CA in a public chat room.
https://hackread.com/hackers-digicert-issue-certificates-sign-malware/
-
Just about the entire internet uses certificate authorities to establish trust. Here, a simple old-school social engineering trick broke this trust and allowed hackers to get signed certificates from DigiCert for their malware.
There is a better way to establish certificate trust that doesn't rely on a 3rd party, and it's free too. It's called DANE, which binds the trust directly to the Domain Name System by using DNSSEC. DANE is ideal for code signing certificates (and other uses), but is overlooked.
This attack is virtually impossible under DANE. A vulnerable support person is of no use. Hackers would need to directly compromise the target's DNS infrastructure, the registrar, and the top-level domain authority. All three. Nearly impossible compared to just finding some dupe at the CA in a public chat room.
https://hackread.com/hackers-digicert-issue-certificates-sign-malware/
-
🥳 @small-tech/syswide-cas v7.0.2 released
Enables Node.js to use custom Certificate Authorities (CAs) alongside the bundled root CAs.
https://codeberg.org/small-tech/syswide-cas#readme
• Drops legacy Node support
• Is now ESM
• Improved code quality
• Added TypeScript type informationFull change log: https://codeberg.org/small-tech/syswide-cas/src/branch/main/CHANGELOG.md
Enjoy!
💕
#SmallTech #releases #syswideCAs #TLS #NodeJS #CertificateAuthorities
-
Google Chrome to Distrust Chunghwa Telecom and Netlock Certificate Authorities (CAs)—What’s Next? – Source: securityboulevard.com https://ciso2ciso.com/google-chrome-to-distrust-chunghwa-telecom-and-netlock-certificate-authorities-cas-whats-next-source-securityboulevard-com/ #certificatelifecyclemanagement(CLM) #RoleBasedAccessControl(RBAC) #rssfeedpostgeneratorecho #SecurityBloggersNetwork #certificateauthorities #CyberSecurityNews #SecurityBoulevard #TLScertificates #crypto-agility #CAdistrust
-
2 #CertificateAuthorities booted from the good graces of #Chrome
#Google says its Chrome browser will stop trusting certificates from two certificate authorities after “patterns of concerning behavior observed over the past year” diminished trust in their reliability.
The 2 orgs, #Taiwan -based #ChunghwaTelecom & #Budapest -based #Netlock , are among the hundreds of cert auth trusted by Chrome & most other #browsers to provide digital certificates that #encrypt traffic
-
Two certificate authorities booted from the good graces of Chrome - Google says its Chrome browser will stop trusting certificat... - https://arstechnica.com/security/2025/06/chrome-boots-2-certificate-authorities-citing-a-lack-of-trust-and-confidence/ #certificateauthorities #chromebrowser #security #biz #google
-
crazy, how many #tls #CertificateAuthorities an #Android trusts by default, including institutions of authoritarian states! However, the fact that this list of trustworthy CAs is apparently adopted by default by #GrapheneOS without question makes me a little suspicious. Here is at least a much more restrictive list that has proven to be completely sufficient for me in recent years (in the German-speaking part of the Internet). #unplugtrump
-
Banish OEM self-signed certs forever and roll your own private LetsEncrypt - Enlarge (credit: Aurich Lawson | Getty Images)
Previously, on ... - https://arstechnica.com/?p=2009175 #certificateauthorities #certificates #letsencrypt #features #acme.sh #feature #biz #dhcpd #https #acme #dhcp #dns #tls
-
This is MADNESS.
“If these Qualified Trust Service Providers (QTSP is the name given to a CA that issues QWACs) are all they're cracked up to be, then why can't they just submit to the existing audit/approval process and pass with flying colours? That's not too much to ask, is it?”
-
A caveat to what I said - there *are* rogue Certificate Authorities out there:
That's not to say rogue CAs are a threat to every system or user equally. As the article points out, they will probably be used sparingly to get at high value targets.
Anyway, take care to audit which CAs you trust in your browsers and other applications.
If you have a very specialised server application it doesn't need to trust 100-odd CAs!
-
For reference (see above toot and child-toots of above toot) #banksAsKeyStores #banks #keyStores #keyservers #reinventBanks #localConnections #makeBanksBetter #realJobs #eepsites #decentralisation #certificateAuthorities #localJobs
-
@neil
Tor is really a basic standard today.We envisage banks becoming key stores, for local onion websites (tor and importantly I2P, which does more than tor). They will also be a place where people can go to be connected to local jobs and to register to vote on local govt budgets.
Among other things.
Gone are the days where people trust a handful of global #CertificateAuthorities.
-
@cy
We came to that realisation fairly quickly, once we started looking. The #CertificateAuthorities (CAs) are large in number but not enough to be considered #decentralised.In reality #banks are a logical vendor. You'd visit local banks, and use the certs they sign for local business. They could possibly store #I2P addresses from partner banks they are confident about also.
Our banks are buggered in #Australia though. They're even worse than #SSL…
They are #cloudflare MITM'd!
-
@selea
Hi Maike,We were similarly cautious about OMEMO once, then we watched a video about how the DoubleRatchet algorithm works and OMEMO is no longer an issue.
I2P federation is now our biggest hurdle. We don't believe people should have to buy domain names and be beholden to #certificateAuthorities for basic #communication.
-
@witchescauldron
(2/2)Its deeply troubling that systems like Tor and i2p have existed for over a decade yet no one has had the guts to promote them strongly. We've had #netNeutrality destroyed, #dragNets built, #techGiants crush #independentMedia, and respected #certificateAuthorities exposed for issuing faulty #encryptionKeys...
What more do we honestly need!?
But when we try to suggest the alternative, many act like its too extreme. The #sleepwalking is real.
-
CW: non-techie web hosting ideas
@wyatwerp
The signing and #HTTPS is another very good point, yes. And justification for moving to the New Internet.The #legacyInternet requires trust in third parties known as #certificateAuthorities. The 'NewInternet' does not require this #trust.
The New Internet is quite vibrant and seems to be always growing. It needs to be the future - and thus will be.
-
Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks - Enlarge (credit: nternet1.jpg by Rock1997 modified.)
Content delivery network Cloudflare is intro... more: https://arstechnica.com/?p=1523561 #certificateauthorities #certificate #cloudflare #biz&it #ssltls #https #pki