Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] How to protect users from compelled fake ssl certs?

coderman coderman at gmail.com
Tue Jul 2 08:32:23 PDT 2013


On Tue, Jul 2, 2013 at 2:36 AM, Guido Witmond <guido at witmond.nl> wrote:
> ...
> Check
> http://perspectives.project.org;
> Transparency: http://www.certificate-transparency.org/;
> or others.
> ...
> Publish the sites' TLS certificate in DNSSEC with DANE. Or use the CAA
> proposal.


i would still prefer the best option where available: certificate
pinning from the service and application provider directly. e.g.
Google Chrome cert pins for Google services.

you can also roll your own root and server certificate validation
rules using out of band determination of "valid" server / ca certs if
you don't trust third parties to do this properly!  difficulty varies
by application and platform...



More information about the liberationtech mailing list