Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates

[Dave Howe]

Rayservers wrote:
> I have proposed that we strip out ALL outside certificate authorities from an
> open source browser, and distribute such... and to practice what I preach, I
> just went into FF and nuked the bunch - and whee, I can connect, verify the cert
> and login :). The USER - a la monkey sphere - has to decide if she trusts the
> Certificate Authority - who the hell are they anyway? And to answer my own
> rhetorical question - those that issue the highest TRUST certificates to
> licensed scammers a.k.a. the banks. I do not trust a single one of the
> recommendations of official CAs. If I am forced, like one has to in this world -
> to visit a bank website, I can figure out how much I distrust them all by
> myself. All I want to know is "am I visiting the same site again"... and a "self
> signed" cert is all I need, "ssh style". And yes, I love the monkeysphere
> approach which would add meaningful levels of trust to that choice. And no -
> there is no difference in my trust level if the cert says "self signed" or
> "fairysign super duper" perhaps the former is better! - at least fairysign
> cannot go off and bless the MITM - especially of any sites I run!

Its a nice theory, but doesn't cover first-visit scenarios, nor the
yearly rekey grind of giving CAs (large amounts of) money for the
results of a fairly easy math problem.

What I would prefer is some parallel system where person 'x', who I
trust, may or may not have visited site 'y', and may or may not have
signed the then certificate, the signature for which (with its date of
providence) is then stored *on the site* for me to access though a
well-known url. That way, I can look with suspicion at sites which do
not have such a certificate, investigate myself if they are serving the
certificate I am expecting to see (and how do I do that? I have tried in
the past phoning companies to obtain their website public key for
independent verification; most don't know what one is, a few have even
said they can't disclose that as it is *priviledged information*....)

But, who do I trust for that, who do *you* trust for that, and will
those people be wiling to give up a significant slice of time every year
revisiting websites after their certificates are renewed, and facing the
same hurdles I did (the complete ignorance of most companies as to how
their websites' certificate works and unwillingness to supply an
accurate fingerprint over the phone).