• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

TunnelBroker.net SSL Cert

Started by cessnaflyer, April 22, 2011, 04:17:25 PM

Previous topic - Next topic

cessnaflyer

Does anyone know if TunnelBroker.net recently changed its SSL cert?  I'm seeing a different cert here, and before I update my scripts, I'd like to make sure no one is twiddling my bits.

Perhaps this sort of thing could be avoided by not using a self-signed cert?  I know "real" certs aren't necessarily cheap, but StartSSL.com does have free SSL certs, and is recognized by many browsers.

Thanks!

It makes perfect sense that every household should have its own /48 once IPv6 is more widely used.  After all, it's not like we'll run out of IP addresses... again.

v2

You might be interested in the Perspectives project, which provides a way to verify the SSL certificate you are receiving has not been tampered with and matches the one received by other hosts ("notary servers") on the Internet: https://www.networknotary.org/


It shows the SSL certificate has recently changed but it should be fine since the change was recorded by the notary servers as well.

There's a Perspectives extension for Firefox and (an experimental one) for Chrome.

cessnaflyer

That's very interesting.  I've seen other ideas for SSL web-of-trust that are more secure, but are also more labor-intensive.  This seems to be a nice balance between an additional layer of security and too much work for all but the most dedicated users to manage.  The only real concern I'd have is first-time access to a site with a self-signed cert.

In general, I find self-signed certs to get too much of a bad reputation.  The real challenge isn't the self-signed cert, but the bootstrapping problem: how do I know on my first access if this cert is correct?  This Perspectives tool can help, but it has its own bootstrapping problem.  It also, I assume, has the same problem as other SSL trust tools, in that major sites with multiple certs on the many load-balanced servers can confuse it.

Tangent aside, I'd like very much to hear from one of the TunnelBroker admins that they did, in fact, recently change their cert.

It makes perfect sense that every household should have its own /48 once IPv6 is more widely used.  After all, it's not like we'll run out of IP addresses... again.

josejimeniz

TunnelBroker created their own self-signed certificate. They did it on April 22, 2011; which is the same day you first noticed the error:



Considering it's been broken for months, i assume there is no intention of fixing it.

You can add it to your certificate store; but i wouldn't do it until someone from HE can confirm the certificate's thumbprint:



‎9e b4 4f 27 6b ce 5e f6 5d 9d 38 cc a9 25 22 76 43 18 07 5c

For all i know there's a transparent proxy in between me an HE that is trying to steal my passwords.

broquea

We always use a self-signed, and yes that is ours from April 22nd, 2011