Certificates

Josh and Kurt talk about a few stories around the TLS CA certificate world. It’s all pretty dire sounding. There’s not a lot of organization or process in the space, and the root CAs are literally the foundation of modern society, everything needs them to function. There’s not a lot of positive ideas here, it’s mostly a show where Kurt explains to Josh what’s going on, because Josh doesn’t want to care (and will continue to ignore all of this going forward). ...

Josh and Kurt talk about the new EU eIDAS regulation. This is a bill that will force web browsers to add root certificates based on law instead of technical merits, which is how it’s currently done. This is concerning for a number of reasons that we discuss on the show. This proposal is not a good idea. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_402_The_EUs_eIDAS_regulation_is_a_terrible_idea.mp3 Show Notes Mozilla site Root CA mailing list UK eIDAS regulation EFF statement on eIDAS Fixed XKCD comic

Josh and Kurt talk about the recent GitHub breach. It wasn’t terribly exciting, but there are some interesting conversations to have around securing certificates, source code, and hardware security modules. In general GitHub did most things right on this one. https://traffic.libsyn.com/opensourcesecuritypodcast/Episode_361_GitHub_got_pwnt_but_it_wasnt_very_exciting.mp3 Show Notes GitHub blog post Hacker History Podcast episode with Robert Super Mario 64 decompile Mario 64 built without optimization Link to the Past source code

Josh and Kurt talk about some recent security actions Apple has taken. Not all are good, but in general Apple is doing things to benefit their customers (their customers are not advertisers). We also discuss some of the challenges when your customers are advertisers. https://traffic.libsyn.com/secure/opensourcesecuritypodcast/Episode_204_What_Would_Apple_Do.mp3 Show Notes Apple one year certificates Apple declines to implement 16 new APIs Apple is tracking unsigned executables