> > And another "wondering" - all the warnings about trusting self signed > certs seem a bit self serving. Yes, they are trying to certify who you > are, but at the expense of probably allowing access to your > communications by "authorised parties" (such as commercial entities > purchasing access for MITM access - e.g. certain router/firewall > companies doing deep inspection of SSL via resigning or owning both end > points).
CAs who issue such dodgy certs tend to get booted from certificate stores, since they cannot be trusted. https://wiki.mozilla.org/CA:Symantec_Issues#Issue_D:_Test_Certificate_Misissuance_.28April_2009_-_September_2015.29 https://en.wikipedia.org/wiki/Certificate_Transparency helps keep CAs honest. The way i like to frame it is "any certificate should only be trusted as much as the *least* trustworthy CA in your certificate store" AFAIK in an enterprise MITM works by having a local CA added to the cert stores of the workstation fleet, and having that CA auto generate the certs for MITM. That didn't work with certificate pinning, but pinning has been deprecated. > If its only your own communications and not with a third, > commercial party self signed seems a lot more secure. > Yes, I imagine there are some circumstances where it would make sense to remove all the certs from your certificate store and then just add your local CA's cert. In this case, the least trustworthy CA in the store is your own :)
