Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] How to protect users from compelled fake ssl certs?

coderman coderman at
Tue Jul 2 08:32:23 PDT 2013

On Tue, Jul 2, 2013 at 2:36 AM, Guido Witmond <guido at> wrote:
> ...
> Check
> Transparency:;
> or others.
> ...
> Publish the sites' TLS certificate in DNSSEC with DANE. Or use the CAA
> proposal.

i would still prefer the best option where available: certificate
pinning from the service and application provider directly. e.g.
Google Chrome cert pins for Google services.

you can also roll your own root and server certificate validation
rules using out of band determination of "valid" server / ca certs if
you don't trust third parties to do this properly!  difficulty varies
by application and platform...

More information about the liberationtech mailing list