Quote:
Originally Posted by Barry-xlovecam
[INDENT]Ever install a SSL Key? If you bought your SSL certificate from Verisign, Thawt, Komodo, or other public vendors there is a record of your encrypt/decrypt key on file. All they need is a subpoena -- if the SSL Cert issuer is in the US the "governmental agency" can get that key -- YOUR ENCRYPTION IS TRASHED.
|
Horseshit.
You obviously don't understand how PKI works.
You send a CSR (Certificate Signing Request) to the CA (Certificate Authority). The CSR is basically your public key with some additional information. You always retain your private key on your server/local machine.
The real threat is the the trust structure with the CAs. Every browser ships with a list of trusted CAs and some of them have been hacked or they are flat out owned by DHS or the government of China.
A rogue/hacked CAs can sign keys for popular websites such as paypal/facebook/twitter and MITM (man-in-the-middle) the connections.
Essentially they sit in the middle between you and the target site and pretend to be the endpoint.
The only way to guard against that is to use certificate pinning. There is a good plugin for firefox called "certificate patrol", and chrome/chromium has pinning for popular websites already.
I completely agree that you should run your own mail servers.