On 07/25/2013 02:19 AM, Eugen Leitl wrote:
(See also https://en.wikipedia.org/wiki/Convergence_(SSL) )
Convergence is an interesting idea, but I'm not sure how it addresses the issue in the article. Convergence is designed to deal with shortcomings of certificate authorities (by providing what Moxie calls "trust agility," the ability to change who you trust to confirm public keys). The problem is companies are sharing their private keys. If they do this, how you get their public key is irrelevant - the content you send them is accessible by a third party and the content you receive from them can be tampered with. Also, Convergence hasn't been updated in over a year and is full of bugs. I don't think it even works on recent Firefox versions at all (at least, the official git repo doesn't).