[cryptography] wont CA hackers CA pin also? and other musings (Re: PKI "fixes" that don't fix PKI (part III))
Seth David Schoen
schoen at loyalty.org
Sat Sep 10 13:28:01 EDT 2011
Adam Back writes:
> And just while I am here there was a paper that proposed a firefox plugin
> that would cache certs and warn if one changed unexpectedly. Savy users
> would then notice the warning before clicking through, and post the evidence
> on relevant security lists. However the plugin seems to be vaporware and no
> one ever implemented or at least released such a thing which seems rather
> odd in the last years SSL/PKI environment. We could really use such a thing
> around now, I'd install it for sure.
Certificate Patrol implements a warning when a site's
certificate changes, so it might be what you want.
If you're thinking of the Certified Lies paper, they
proposed a warning when a certificate is issued by a CA
located in a different country than the old one. This
is focused on a threat model where governments use legal
systems (or maybe administrative control of CAs, or maybe
just cozy relations) to get the CAs to misissue.
Seth David Schoen <schoen at loyalty.org> | No haiku patents
http://www.loyalty.org/~schoen/ | means I've no incentive to
FD9A6AA28193A9F03D4BF4ADC11B36DC9C7DD150 | -- Don Marti
More information about the cryptography