SSL certs are about more than just encrypting traffic. They help establish that the web server is run by the same organization who manages the DNS record. This lets you be reasonably assured your connection is not being man-in-the-middled.
This is particularly helpful when downloading an operating system, as with no HTTPS, it would be trivial to MitM and spoof the TC download site with a malicious installer.
IMO, it's pretty ridiculous that a site serving OS downloads isn't using HTTPS in the letsencrypt era.
About 30 years ago, your comment would have been somewhat true. VeriSign and the other leaders went to different lengths to have a proof-of-identity obstacle for users to burden themselves with to show the website visitors "Hey, this website SSL belongs to Joe Schmo"... Now-a-days, Verisign doesn't even DO SSL certificates from the looks of it!!!
...and for "who manages a site's DNS?" Do you really think I want Let's Encrypt to know who takes care of my DNS records??? Let alone have the PUBLIC know that???
Today, DNS is usually "managed" by Control Panel software and your web hosting company...
unless you're rich enough to own your own T1/OC3/Fiber and host your own network online.
THEN, you may actually... nope! Even then, things like Let's Encrypt still have NO CLUE who you are.
I have about 20 or so SSL certificates through Let's Encrypt.
Not a
single one of the SSL certificates even knows my name or business name.
None of them know my (home/business) address.
I'm pretty sure even a phone number isn't mandated.
Why? They don't ask. They don't have to! They're encryption certificates! They don't care!
Why? I have a hosted server I'm thinking about at the moment that the Control Panel of the hosting company downloads and installs the L.E. SSL certificates virtually as easy as clicking a button. Oh, wait... I don't even have to click! It's automatic as soon as I tell it I want SSL for a given website.
Are my private details SHARED with Let's Encrypt in the process? Nope!
In fact, in the United States, it's ILLEGAL to share private details about someone without their expressed, written permission (Privacy Acts exist around the globe to some degree) to where even Domain Registrars have to offer domain privacy. Take TinyCore's website for example:
https://www.godaddy.com/whois/results.aspx?itc=dlp_domain_whois&domain=tinycorelinux.netYou'll notice Robert S. isn't listed on here, right? Nor are ANY of the Admins for that matter. Why? People in the States have become sticklers about "privacy" since the US slapped their own hands back in 1974 with the first real Privacy Act.
SSL certificates are used solely to create a secure connection between YOU (say, your browser) and a physical MACHINE somewhere out there so that when you type "Hello", it's scrambled into a mess of a long, LONG string of characters and sent through the Ether to the MACHINE out there where it's unscrambled and received. This process makes it very difficult for third party people to "look over your shoulder" (network monitoring) and see what you've sent. It has NOTHING to do with proving who YOU ARE... it's strictly used to prove what DOMAIN NAME you're connecting to - and not even as deep as the DNS settings of that domain!
Example:
https://users.simplenix.com/forum/Here's a dummy forum I've set out as bait for special kinds of ill-intended traffic.
Click on your browser's "shield", green button or means of displaying the website is SECURE.
Follow your browser's buttons/links until you can actually VIEW the SSL Certificate.
It specifically states "This website does not supply ownership information."
Inside the SSL, it specifically lists "users.simplenix.com" and "
www.users.simplenix.com" as being the only allowed domain names to use this SSL.
(LOL) Firefox also says I've visited the SSL domain 1,141 times already this year... but doesn't tell me a thing about who I am, where I'm from, etc.
Nothing more. Nothing less. It's strictly an encryption protocol.
Now if you WANT your SSL to be Proof of Identity you can PAY for those features!!! See:
https://www.ssltrust.com/ssl-certificatesThis company charges $23/year just to put your business name on your SSL. (No, they don't actually PROVE it exists, it's legal, etc. - just that the NAME exists.)
As for my SSLs, that's 20 websites that claim to be "protected" and "trustworthy" based on your definition.
For Main-in-the-middle, that's easy to accomplish
EVEN WITH SSL.
Example:
Let's say I create a website called TinyC
are.net and set it up to look exactly like TCL - and get an SSL through Let's Encrypt which is effortless...
I then do some hacking magic and get into TCL's web server, forum server or wiki server OR better yet, one of the mirror repos out there...
I make some tweaks to the ISO installation images (mainly, changing /opt/tcemirror to point to CARE instead of CORE)
Easy Peasy! I'm now the Main in the Middle of an entire operating system... and the end users don't have a clue.
That is the most difficult example to accomplish - modifying the ISO images themselves - and it's still far from impossible.
This isn't a TCL thing... this is global. This is also why VeriSign and the others used to COST so much - there was actual HUMAN WORK involved.
@champignoom: Mirrors fetch content, whether it be by RSYNC, HTTP, HTTPS, FTP, etc. Many of these protocols do not use TLS (SSL), but regardless of whether they did or not is irrelevant -- it doesn't protect the DATA they're downloading.
None of the ISO files or extensions are "signed" and it's a waste of time signing things, as has been said.
For example, I'm a developer (programmer... coder... what ever you want to call it these days...)
I'm going to create a video game (the MOST POPULAR method of MiiM on cell phones and tablets to date!)
Once it's reasonably functional, I'm going to PUBLISH it. Voila'! It's signed!
Signed just means it came from ME. If you actually LOOK at some/many of these signatures out there, they use ALIAS INFORMATION and handles! Free-mail accounts for sending and receiving communications from the signature system, my first/last name being "Avid Hacker", my address being 12345 Somestreet, Everywhere, CA 90066 (I tend to use this kind of information when signing up for websites I don't trust - which is most!) and for those with a hint of 80's nostalgia my phone number is 888-867-5309.
So, as an end-user to "signed" files... you get what EVER I packaged into the mix - viral, or worse, all whilst thinking you're safe and cozy with SSL and/or Signed Software. The best part about it, if the package contains anything bad... it points back to a person that doesn't exist.
"Wait! There have to be some places that VERIFY who you are!?"
Do you really think Google has time (and money) to waste by verifying developers are who they claim to be?
They don't HAVE to. They let the PUBLIC determine who's naughty and who's nice - and the naughty get banned after the fact. After the damage is done.
...and the email address another_junk_email_account@gmail/yahoo/hotmail/etc.com and fake google voice phone number get deleted and there's no trace Avid Hacker even existed in the first place and they create another persona and do it all again.
My job is to DETECT scams, back doors, etc. so I have to be educated on how it's done in the first place. (Means... I have a wee clue of what I'm talking about!
)
The CONCEPT of how Tiny Core Linux manages their repo is reasonably sound. Only the Admins, that I'm aware of, have access to the ISO files and their creation.
EXTENSIONS, which are easily compared to APK apps on Android or even "Software Applications" on Windows, are community driven 99.something% of the time. This means that the quirky media player you downloaded could have come from virtually anywhere (thus READ the INFO FILE before DOWNLOADING ANYTHING from ANYWHERE! At very least to see
where it came from.)
YOU can create a document, script, all the way up to a full-fledged application and
YOU can submit it to TCL and with a quick scan of the content, if they feel it IS what you SAY it is, they'll post it for all others to see/use. They don't TEST every extension/application themselves - but neither does Ubuntu, Red Hat... Apple... Microsoft... nor can they be expected to.
Google doesn't TEST APKs submitted to the Play Store - YOU do.
Microsoft surely doesn't TEST anything on their store, the department stores, etc. YOU do.
TinyCore cannot be expected to hire people to TEST everything, either. Again...
community driven.
If you want SAFETY:- Never download anything from anyone you did not personally create - everyone else introduces risk (even Microsoft, Apple, etc. - nothing is "infallible!")
- HTTP versus HTTPS is for Point to Point encryption. If you're BANKING, you want the stuff you send/receive to be utterly USELESS to anyone ELSE that sees it - that's SSL's purpose in life. If you're downloading a picture of the Great Lakes that was shared with the world by a lucky photographer who felt generous to share, or a snap-shot you took in high school you posted on Face*ook , why encrypt it? If someone ELSE were to see it... what harm does it cause? It's already public!?!? So are the TCL mirror files.
- If you're worried about being hacked, or someone is watching you through your own web camera... unplug the computer and walk away... WiFi signals CAN be transmitted through the electrical lines!!! (actual fact.) For everyone else, educate yourselves on the REAL meaning of things (like SSL, Software Signatures, etc.) so you can sound intelligent in a conversation AND so you know what lines exist - and which not to cross.
- If you want SAFETY: "Don't run with scissors." "Always use protection." "Steer clear of a stampede."
- Utilize Common Sense... but BASE IT on FACT, not assumption.
Admins: For sake of never having to repeat myself, please trim this post as you see fit and post it on the Wiki so it's easy to reference here-out.
SSL: Secure Sockets Layer, a former standard security technology, deprecated in June 2015, for establishing an encrypted link between a server and a client (TLS has pretty much replaced SSL, but we still USE THE TERM "SSL" because the name's been around for so long.)
Key Concepts:Certificate Authority (CA): A trusted third party responsible for issuing and verifying digital certificates.
Public Key Infrastructure (PKI): The framework—comprising public and private keys—that facilitates secure electronic transfer of information.
Encryption: Scrambles data in transit, ensuring that even if intercepted, it cannot be read without the corresponding key.
However, Google's AI reads:
An SSL (Secure Sockets Layer) certificate is a digital document that authenticates a website's identity and enables an encrypted connection. Although the technology was officially superseded by TLS (Transport Layer Security), the industry still uses the term "SSL". It acts as an electronic passport, verifying that a user is communicating directly with the intended server and protecting data from interception.
which is
potentially misleading as it states it "authenticates a WEBSITE'S IDENTITY" where I imagine some people are misconstruing this as a PERSON'S IDENTITY, as the identity in question was shown in the above simplenix example.
LMAO! Not even
https://microsoft.com SSL certificate has "ownership information" -- and it's SELF SIGNED, so THEY are the CA to their own website(s) - they're the cop, balif, judge and jury all in one!
It's a business level certificate (OV) (which costs them nothing extra since they're the CA, too) which just states they're supposed to be located in Redmond, WA, US - and that's it.
DO NOT post a link to wiki/SSL... dozens of possible uses for the acronym "SSL" including "
Sesame Street Live!"
Instead, use:
https://en.wikipedia.org/wiki/Transport_Layer_Security#SSL_1.0,_2.0,_and_3.0
Welcome
FAQ
Downloads
Wiki
