Today, when trying to log in remotely to my home router (a FRITZ!Box), I was greeted with an TLS certificate error. I was pretty sure it’s my router, but am I really keen to type in a password into a field that I have no idea whether it is actual my machine, or a nice-looking replica? A clear indication that it is time to use a better cert than a self-signed one that I cannot verify remotely.
I use Let’s Encrypt for all my other certificates, so why not use it on my router? However, I found precious little information about how to use it with the FRITZ!Box. Fortunately, it’s pretty straightforward.
In September last year, the Free Software Sydney meet-up group had an inaugural Jitsi Meet videoconference.
My (longer-than-planned) contribution to the conference aimed at introducing trust and security concepts, mainly in showing the prevalent role of hashes, and covered public-key cryptography uses, GPG, SSL CAs, trusting trust and reproducible builds.
[videojs webm=”/wp-content/uploads/manual/2015-09-10mehani_security_considerations_building_trust.webm” preload=”true” autoplay=”false”]
The whole video of the conference, also covering Free Software and Tor, can be found on the page of the event. PDF slides are available here.
CAcert is an SSL Certificate Authority based on the establishment of a web-of-trust à la PGP: rather than charging to issue certificates to anyone, it issues them only to members who have been vouched for by enough other trustworthy members (assurers).
For historical reasons, they were included in the Debian ca-certificates package. It was however recently removed, for justified reasons (CAcert is conducting an audit, and withdrew their demand for inclusion in the Mozilla chain until it’s done). Most other distributions mirror from this package to ship their root certificate, and have also dropped CAcert as a consequence.
This is however a bit annoying, as many sites started popping up warnings due to their root certificate not being in the trusted chain of the OS anymore. Until, maybe, they are reinstalled but disabled by default, I quickly wrote up a tiny script that downloads CAcert’s root certificates, and re-registers them. It’s quick and dirty, and only does an MD5 sum to make check they are the right ones, so use at your own risks.