[cryptography] wont CA hackers CA pin also? and other musings (Re: PKI "fixes" that don't fix PKI (part III))

Seth David Schoen schoen at loyalty.org
Sat Sep 10 13:28:01 EDT 2011

Adam Back writes:

> And just while I am here there was a paper that proposed a firefox plugin
> that would cache certs and warn if one changed unexpectedly.  Savy users
> would then notice the warning before clicking through, and post the evidence
> on relevant security lists.  However the plugin seems to be vaporware and no
> one ever implemented or at least released such a thing which seems rather
> odd in the last years SSL/PKI environment.  We could really use such a thing
> around now, I'd install it for sure.

Certificate Patrol implements a warning when a site's
certificate changes, so it might be what you want.

If you're thinking of the Certified Lies paper, they
proposed a warning when a certificate is issued by a CA
located in a different country than the old one.  This
is focused on a threat model where governments use legal
systems (or maybe administrative control of CAs, or maybe
just cozy relations) to get the CAs to misissue.

Seth David Schoen <schoen at loyalty.org>      |  No haiku patents
     http://www.loyalty.org/~schoen/        |  means I've no incentive to
  FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150  |        -- Don Marti

More information about the cryptography mailing list