[liberationtech] verifying SSL certs (was Re: In defense of client-side encryption (Guido Witmond)
Andy Isaacson
adi at hexapodia.org
Tue Aug 13 10:42:05 PDT 2013
On Mon, Aug 12, 2013 at 11:10:39AM +0200, Guido Witmond wrote:
> There is another problem. You rely on HTTPS. Here is the 64000 dollar
> question:
>
> Q._"What is the CA-certificate for your banks' website?"_
>
> I ask that question to anyone who claims to be security conscious. No
> one has given me positive answer so far. Not even a wrong answer. Only
> that people don't know.
>
> So I take it for granted that people won't verify anything, ever.
FWIW, I did run my browser in "trust on first use" (TOFU) mode -- I
deleted all the CA certs and manually added exceptions for each site, as
I encountered the certificate warnings -- for several years. I've given
up on that for modern websites because
- sites frequently include resources from other hostnames, and JS/CSS
https errors are silently ignored by Firefox
- loadbalanced websites frequently have multiple certificates for a
single hostname, and Firefox only allows a single certificate
exception per hostname
- expiration times have come down to, generally, 1 year, and with
multiple certs per page, I was approving a new cert for most pages at
least once every few months, decreasing the value of Trust in TOFU.
So in some sense I would have been able to answer that "what is the cert
for your bank", by saying "the one that I approved last year and has
been correctly working since then". But the world has passed that model
by.
-andy
More information about the liberationtech
mailing list