[liberationtech] How to protect users from compelled fake ssl certs?
coderman
coderman at gmail.com
Tue Jul 2 08:32:23 PDT 2013
On Tue, Jul 2, 2013 at 2:36 AM, Guido Witmond <guido at witmond.nl> wrote:
> ...
> Check
> http://perspectives.project.org;
> Transparency: http://www.certificate-transparency.org/;
> or others.
> ...
> Publish the sites' TLS certificate in DNSSEC with DANE. Or use the CAA
> proposal.
i would still prefer the best option where available: certificate
pinning from the service and application provider directly. e.g.
Google Chrome cert pins for Google services.
you can also roll your own root and server certificate validation
rules using out of band determination of "valid" server / ca certs if
you don't trust third parties to do this properly! difficulty varies
by application and platform...
More information about the liberationtech
mailing list