Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] How to protect users from compelled fake ssl certs?

Daniel Sieradski ds at danielsieradski.com
Wed Jul 3 11:54:30 PDT 2013


i use https://www.grc.com/fingerprints.htm to verify certs on the client end to make sure i'm not being man in the middled. it would be awesome if this were available as a firefox and chrome plugin that automatically did a check for you and gave you a red or green light.

--
Daniel Sieradski
ds at danielsieradski.com
http://danielsieradski.com
315.889.1444

Follow me at http://twitter.com/selfagency
Public key http://danielsieradski.com/share/ds_public.key

On Jul 3, 2013, at 2:41 PM, coderman <coderman at gmail.com> wrote:

> On Tue, Jul 2, 2013 at 10:01 AM, Ralph Holz <holz at net.in.tum.de> wrote:
>>> DANE: https://tools.ietf.org/html/rfc6698
>>> CAA: https://tools.ietf.org/html/rfc6844
>>> ....
>> I wonder whether that would have protected against the Comodo Hacker. It
>> seems it depends when and from where the CAA checks are run.
> 
> it would not. Comodo Hacker used the HSM programmatic interfaces
> directly to issue certificates, thus bypassing any checks CAA would
> imply.
> 
> 
>> ...
>> It's another reason I like DANE and CT better.
> 
> fortunately you don't have to pick one; use both ;)
> --
> Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130703/1d021c4b/attachment.html>


More information about the liberationtech mailing list