Today’s fun turtle-chasing[0] moment was trying to understand how a python application validated TLS certificates. The application relies on the certifi package[1], which is built from the python-certifi github repository[2]. Both of these describe the source of this data as Mozilla, but they actually call an endpoint on the https://mkcert.org service hosted on Digital Ocean[3], which is built from the Lukasa/mkcert github repository[4]. The mkcert repository uses a Mercurial repository URL hosted by Mozilla[5]. This is fed by Mozilla’s CA inclusion process[6].

Even ignoring the Mozilla CA process, the number of people and companies involved in bringing a static PEM file into your python application is mind-boggling.

0. https://en.wikipedia.org/wiki/Turtles_all_the_way_down

1. https://pypi.org/project/certifi/

2. https://github.com/certifi/python-certifi/blob/master/Makefile

3. https://mkcert.org/

4. https://github.com/Lukasa/mkcert

5. https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

6. https://wiki.mozilla.org/CA/Included_Certificates

#python #infosec #tls

The unintentional irony of the mkcert.org landing page is 😘

Some scary reporting from @joesephmenn@twitter.com via The Post: One of the powerful root certificate authorities trusted by big web browsers to vouch for websites operates from a UPS Store address and has ties to a U.S. intelligence contractor selling interception gear: https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/ #TrustCor #TLS