| This article deeply misunderstands the Web PKI model. > If I give TLS private keys to the hosting company, then what is the point of using TLS and lying that it can authenticate the endpoint domain? If your ISP wants to get a TLS certificate for your domain, they can, because they are in the last-mile MITM path against you and can use that to authenticate domain-validated certificates under the Baseline Requirement rules. Your ISP is not part of the threat model that the Web PKI tries to defend against. It doesn't matter if they have theoretical access to your private keys. > Possibly there is already IPsec transport session, transparently securing the link. Not unless you set that up with your users. The point of TLS is that it is supported everywhere. IPsec is an explicit protocol (and a bad one at that) that requires a ton of manual configuration and makes no attempt to make anything automatic or to authenticate anything... unless you just use x.509 certificates, and then we're back to the same model as TLS. > Neither they, nor those CAs really care about security – it is just plain old business. They care about security because if they fail at security, their roots will be removed, destroying their business. This has already happened multiple times, even for big players (e.g. Symantec). That's the whole point of the BRs. > Current global-scale PKI system, integrated by default in most software, literally tells that some dozens of CAs, and several hundreds of intermediate CAs can authenticate entities (like Internet domains and so far). There is no reason for me to spend my money paying one of chosen CAs, because any of hundreds CAs beside can issue "valid" certificate for MitM-ing connections. And that's still better than me being able to MitM your connection without any outside help just because I hopped on the same WiFi as you. > So paying for the domain’s certificate just gives ability to show some green bars in the browsers, but the whole system does not prevent its MitM-ing by another authorities anyway by design. It prevents MitM-ing by end-user ISPs, by rogue access points, and much more. It's not perfect. It's a lot better than nothing. In addition, thanks to Certificate Transparency, you can monitor if one of those CAs has issued a fraudulent certificate in your name. Browsers won't trust certificates that are not publicly logged. > I can get trust to some authorities, but not the hundreds of them. Then do what I do and remove the ones you don't. I only have 29 CAs in my /etc/ssl/certs/ and a few more enabled in NSS, and almost everything works fine. Throw in the big players and 99% of the internet works without issue, and you can ignore all those country-specific (or worse, government-affiliated) CAs and lower your attack surface. > I used to use CAcert because of that. But here comes politics and business again! CAcert is not included in most major operating systems. Who wants to loose their business when someone does it for free? There were other gratis CAs, that also were not included in OSes. Why? US-based software vendor companies will give many reasons, but actually there is only one uniting them all: all of these free CAs are not based in US, so do not obey their jurisdiction. CAcert had some significant operational issues and could not pass audits. There are free CAs operating outside the US. > Actually for some time they were indeed included in many trust anchor bundles out-of-box. But soon all of them were removed... and there suddenly appeared Let’s Encrypt (LE), that relatively immediately was praised by all major software and hardware vendors and included everywhere. Just a coincidence? Instead of having certificates spread among many CAs under various jurisdictions, that ingenious move with gratis ultimately trusted CA lead to the world where prevailing majority of all certificates are issued with single CA, based in US (at last). Or perhaps because LE has vastly better and more secure infra than CAcert ever did. > LE is clearly a NOBUS project. Tinfoil hat mode engaged... > Specifying LE in CAA means that I authorize noone to issue certificates for my domains, except for US-based forces. That is something I will never do, being the citizen of completely independent jurisdiction. I am not a traitor. Then maybe you'll trust an ACME CA in Austria: https://zerossl.com/ Or one in Norway: https://www.buypass.com/products/tls-ssl-certificates/go-ssl |