Certifiable

I recently switched to a new ISP, who have so far been excellent, however they use certificates signed by CAcert. While I generally agree with the principle behind that decision, it does make life difficult. They cheerfully say, “You can check the certificate is signed by CAcert, if you like, before accepting it.” But how?

Warning: the following approach to checking the certificate is signed by CAcert is quite likely to be rubbish, so it’s probably not a good idea to follow it! In my defense, it seemed like a reasonable balance between just accepting some random certificate and complete paranoia but if you know a better way, please let me know.

They aren’t on Windows but the CAcert root certificates are already included in various places, so it turns out that the simple answer might be to grab the certificate from a suitable Linux distribution. Just to be on the safe side, I wanted to find a distribution I could download securely. The best option I found was Tails, which has a secure download and, for extra peace of mind, can be verified with OpenPGP.

My chosen method for trusting the tails signing key was a tad more interesting on Windows due to the lack of an sha256sum command. Luckily it seems you can do anything in PowerShell, so with a little help from Brian Hartsock’s blog, this did the trick instead:

$ha = [System.Security.Cryptography.HashAlgorithm]::Create(“SHA256”)
$stream = New-Object System.IO.FileStream(“tails-signing.key”, [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read)
$sb = New-Object System.Text.StringBuilder
$ha.ComputeHash($stream) | % { [void] $sb.Append($_.ToString(“x2”)) }
$sb.ToString()

 

All good, certificate verified. I would still rather Andrews & Arnold just used a proper certificate though: there are clearly problems with trusting all the certificate authorities that are included in browsers/operating systems by default but CAcert doesn’t exactly look like a fantastic example either, and normal users really don’t have any chance of making a more informed choice.

Advertisements

One thought on “Certifiable

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s