SSL, CAs and keeping your stuff safe

SSL, CAs and keeping your stuff safe

A capitalistic and system conformant talk about encryption.


Armin Ronacher

May 10, 2014


  1. 11.

    Bitcoin A Credit Card Strong Encryption Potentially No Encryption 256

    bit private key 16 digit number + checksum decentralized centralized √ x
  2. 13.
  3. 14.


  4. 25.

    users need to understand how to keep good om bad

    lock symbols / good om bad encryption. = -
  5. 29.
  6. 37.

    $ ssh The authenticity of host ' (' can't

    be established. RSA key fingerprint is 14:23:83:02:45:f9:9c:d0:eb:39:c7:14:42:f5:9f:9c. Are you sure you want to continue connecting (yes/no)?
  7. 43.

    run your own CA issue certi cates for 24 hours

    trust your own CA only screw re ocations
  8. 52.

    I Trust “TÜRKTRUST Elektronik Serti ka Hizmet Sağlayıcısı” to ouch

    for the identity of any domain on the planet. Trusting a CA:
  9. 53.

    trusting half the world: one shitty employee in one shitty

    CA is enough to break your security.
  10. 54.

    I Trust “Comodo” to ouch for the identity of “Foo

    Owner” I only trust “Foo Owner” to ouch for the identity of What we actually want:
  11. 55.

    if you have seen being from Verisign and all

    the sudden becomes a StartSSL certificate you know something might be wrong.
  12. 61.

    Requests by default trusts it's own bundle :-/ (And does

    not even properly document how to use custom ones)
  13. 66.

    See “OpenSSL Valhalla Rampage” :-( “i give up. reuse problem

    is unixable. dlg says puppet crashes” — tedu
  14. 68.
  15. 69.

    what happens to your user if he gets hacked? (food

    for thought: keyloggers are still a thing)
  16. 73.

    ? Feel Free To Ask Questions Talk slides will be

    online on You can find me on Twitter: @mitsuhiko And gittip: Or hire me: