5 Apr
2010
5 Apr
'10
3:38 a.m.
--- On Sat, 4/3/10, Dave Howe <DaveHowe@gmx.co.uk> wrote: > From: Dave Howe <DaveHowe@gmx.co.uk> > Subject: Re: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates > To: "Email List - Cypherpunks" <cypherpunks@al-qaeda.net> > Date: Saturday, April 3, 2010, 4:19 PM > Rayservers wrote: > > I have proposed that we strip out ALL outside > certificate authorities from an > > open source browser, and distribute such... and to > practice what I preach, I > > just went into FF and nuked the bunch - and whee, I > can connect, verify the cert > > and login :). The USER - a la monkey sphere - has to > decide if she trusts the > > Certificate Authority - who the hell are they anyway? > And to answer my own > > rhetorical question - those that issue the highest > TRUST certificates to > > licensed scammers a.k.a. the banks. I do not trust a > single one of the > > recommendations of official CAs. If I am forced, like > one has to in this world - > > to visit a bank website, I can figure out how much I > distrust them all by > > myself. All I want to know is "am I visiting the same > site again"... and a "self > > signed" cert is all I need, "ssh style". And yes, I > love the monkeysphere > > approach which would add meaningful levels of trust to > that choice. And no - > > there is no difference in my trust level if the cert > says "self signed" or > > "fairysign super duper" perhaps the former is better! > - at least fairysign > > cannot go off and bless the MITM - especially of any > sites I run! > > Its a nice theory, but doesn't cover first-visit scenarios, > nor the > yearly rekey grind of giving CAs (large amounts of) money > for the > results of a fairly easy math problem. The first visit scenario is definitely an issue. that brings it to the other question - why cannot CA's issue certificates to sites say like 10 years or 20 years and get the corresponding money for that. Most certificates issued by CA's usually have 2-3 years validity. Incase of a significant mathematical breakthrough the CA should provide an alternate secure certifying mechanism if the breakthrough occurred within the service period (10/20 years). The question is why do popular https sites not go for certificates that expire in 10/20 years if it helps security? Another question, this one is specific to gmail - which the entire session is on https. when i click a pdf in my gmail to be opened with google docs, the certificate is signed by google(used a third part browser plugin to check this). that is fine, however my browser never alerts me as a potential untrusted certificate and if want to add it as an exception. does that mean google is an intermediate CA or what does that mean? Thank you, Sarad AV > > What I would prefer is some parallel system where person > 'x', who I > trust, may or may not have visited site 'y', and may or may > not have > signed the then certificate, the signature for which (with > its date of > providence) is then stored *on the site* for me to access > though a > well-known url. That way, I can look with suspicion at > sites which do > not have such a certificate, investigate myself if they are > serving the > certificate I am expecting to see (and how do I do that? I > have tried in > the past phoning companies to obtain their website public > key for > independent verification; most don't know what one is, a > few have even > said they can't disclose that as it is *priviledged > information*....) > > But, who do I trust for that, who do *you* trust for that, > and will > those people be wiling to give up a significant slice of > time every year > revisiting websites after their certificates are renewed, > and facing the > same hurdles I did (the complete ignorance of most > companies as to how > their websites' certificate works and unwillingness to > supply an > accurate fingerprint over the phone).