Prefer CA certificate over previous self-signed cert #5685
Comments
|
see these regarding how cert pinning works:
For some, this would be an anti-feature as rogue CAs could MITM their connections when they wanted to use "pinned" self-signed certs. |
Uggh, so no easy answer. Choices seem to be a) use a self-signed cert available to anyone (including rogues) or b) use a real cert and lock everybody out when it expires. Thanks for the feedback before I put any more time into "fixing" it. |
Please read my links. If you use CA signed certs, expiry does not really matter. CA signed certs do not get pinned, only the fact that the server is using CA signed certs (boolean). |
|
Gotcha - users are locked out until the self-signed cert expires, then the CA cert is valid forever, even when updated. |
My original public ElectrumX server (now private) had a self-signed certificate that I recently changed over to a CA certificate (LetsEncrypt) in the consideration of a possible move back to a public server. Now any client that had previously connected to it can no longer connect as the client has a copy of the self-signed certificate in its cache.
My particular case is not a huge issue but I'm thinking that there are millions of users locked out of many legitimate servers as the their CA certificates routinely expire and are updated with new ones - likely forever as I understand it now. This reduces the pool of legitimate servers a client can reach and therefore increases the risk of connecting to a malicious server.
Is there any way to have Electrum prefer a validated (CA) certificate over its locally stored cache if the cached cert is self-signed or outdated and then update the cache with the current valid CA certificate? How does any Electrum client continue to reach a server after its CA certificate expires and it is updated? LetsEncrypt certs expire every 90 days. My feeling is that anything that increases access to legitimate servers (which a sybil almost certainly would not have a CA cert attached) will be a win for users.
I haven't delved deep into the certificate handling code of Electrum. If it is not something that can be altered easily, would a PR for this be considered?
The text was updated successfully, but these errors were encountered: