[liberationtech] How to protect users from compelled fake ssl certs?
Ralph Holz
holz at net.in.tum.de
Tue Jul 2 09:59:23 PDT 2013
Hi,
> What is the most effective way to protect users against a compelled fake
> certificate attack? Since any CA can issue any cert and any US based CA
> could probably be compelled to issue a fake CA, how can we protect
> against this?
Crossbear has automatic reporting:
http://www.net.in.tum.de/fileadmin/bibtex/publications/papers/holz_x509forensics_esorics2012.pdf
Following some breakages in the Firefox API, we are going to relaunch it
in September. Until then, we're busy implementing the protocol for OONI
(-> OONIBear):
https://ooni.torproject.org/
The current status is we've got it running, the hunting works, and it's
passed all initial tests. IPv6 is giving us some difficulty due to lack
of test cases.
Also, we're working on command-line visualisation tools.
Ralph
--
Ralph Holz
I8 - Network Architectures and Services
Technische Universität München
http://www.net.in.tum.de/de/mitarbeiter/holz/
Phone +49.89.289.18043
PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
More information about the liberationtech
mailing list