Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] How to protect users from compelled fake ssl certs?

Guido Witmond guido at witmond.nl
Tue Jul 2 09:50:40 PDT 2013


On 02-07-13 17:32, coderman wrote:
> On Tue, Jul 2, 2013 at 2:36 AM, Guido Witmond <guido at witmond.nl> wrote:
>> ...
>> Check
>> http://perspectives.project.org;
>> Transparency: http://www.certificate-transparency.org/;
>> or others.
>> ...
>> Publish the sites' TLS certificate in DNSSEC with DANE. Or use the CAA
>> proposal.
> 
> 
> i would still prefer the best option where available: certificate
> pinning from the service and application provider directly. e.g.
> Google Chrome cert pins for Google services.

Certificate pinning certainly provides the best protection when
connecting to Gmail with a Google provided Chrome browser running a
Google provided operating system. I don't expect them to provide
anything less (secure) for their customers/users.

But it does nothing to protect me when connecting to sites that Google
does not include in their pinning list.

There I have the same problem as before.

> 
> you can also roll your own root and server certificate validation
> rules using out of band determination of "valid" server / ca certs if
> you don't trust third parties to do this properly!  difficulty varies
> by application and platform...

Those third parties have proven not to be trustworthy. That's why we
need monitoring systems like Perspectives, CT. And DNSSEC/DANE or CAA to
tell us which certificate authority to expect.


Cheers, Guido.



More information about the liberationtech mailing list