• Fal@yiffit.net
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    8
    ·
    1 year ago

    Self signed certs are more secure. You don’t have to trust the whole CA chain

    • partyparrot@lemmy.blahaj.zone
      link
      fedilink
      arrow-up
      4
      ·
      edit-2
      1 year ago

      Please feel free to explain your stance more, also I’m not an expert. But that seems like a potentially dangerous statement. Certificates are a multifacted issue which cannot be covered by “Self signed certs are more secure”. Even in an environment you are fully managing intermediate and leaflet certificates, you want the root issued by a public CA. Ideally an EV CA. If the infrastructure is fully internal, there are still advantages to using an external CA (like for getting a root cert) unless you are able to securely generate, store, revoke, cycle, and manage the root certificates. As for trusting certificate chains, again multifaceted, but they fix a lot more problems than they cause and increase security posture. Having one off pairs per service at any but the smallest scale is security nightmare fuel.

      • Fal@yiffit.net
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        2
        ·
        1 year ago

        but they fix a lot more problems than they cause

        I didn’t say anything that disagrees with this. CAs are nice and convenient. They do this by expanding the chain of trust to a lot more people, hence making them less secure.

        Sure if you can’t securely manage your cert, that’s a problem. But that doesn’t mean let’s less secure

        • partyparrot@lemmy.blahaj.zone
          link
          fedilink
          arrow-up
          3
          ·
          1 year ago

          I think it’s important to distinguish use case. Or make more qualified statements instead of saying self signed certs are always more secure.

          Like, are we talking about a single certificate pair per service contained on your local isolated network? Sure probably then.

          Otherwise, very likely not.