[liberationtech] How to protect users from compelled fake ssl certs?
Guido Witmond
guido at witmond.nl
Tue Jul 2 09:50:40 PDT 2013
On 02-07-13 17:32, coderman wrote:
> On Tue, Jul 2, 2013 at 2:36 AM, Guido Witmond <guido at witmond.nl> wrote:
>> ...
>> Check
>> http://perspectives.project.org;
>> Transparency: http://www.certificate-transparency.org/;
>> or others.
>> ...
>> Publish the sites' TLS certificate in DNSSEC with DANE. Or use the CAA
>> proposal.
>
>
> i would still prefer the best option where available: certificate
> pinning from the service and application provider directly. e.g.
> Google Chrome cert pins for Google services.
Certificate pinning certainly provides the best protection when
connecting to Gmail with a Google provided Chrome browser running a
Google provided operating system. I don't expect them to provide
anything less (secure) for their customers/users.
But it does nothing to protect me when connecting to sites that Google
does not include in their pinning list.
There I have the same problem as before.
>
> you can also roll your own root and server certificate validation
> rules using out of band determination of "valid" server / ca certs if
> you don't trust third parties to do this properly! difficulty varies
> by application and platform...
Those third parties have proven not to be trustworthy. That's why we
need monitoring systems like Perspectives, CT. And DNSSEC/DANE or CAA to
tell us which certificate authority to expect.
Cheers, Guido.
More information about the liberationtech
mailing list