[liberationtech] Convergence: does anyone use it?
Guido Witmond
guido at witmond.nl
Sun Jul 28 14:35:37 PDT 2013
On 28-07-13 22:20, Patrick Mylund Nielsen wrote:
> On Sun, Jul 28, 2013 at 1:03 PM, Yan Zhu <yan at mit.edu
> <mailto:yan at mit.edu>> wrote:
>
> It seems to be the browser extension <http://convergence.io/> that
> everyone talks about but nobody uses. For one, the original
> repository isn't actively maintained, and I found at least one
> unpatched issue that keeps it from working in recent Firefoxes (see
> https://github.com/moxie0/Convergence/issues).
>
> Is anyone running it? Thoughts on whether it's worth forking and
> patching?
>
> Perspectives, on the other hand, is a similar project that is quite
> active but seems to get less mentions: http://perspectives-project.org/
>
> -Yan
>
>
> Unfortunate, since Convergence is based on the research done in the
> Perspectives project. Moxie deserves credit for sure, but he seems to be
> getting (almost) all of it. An Ubuntu-and-Debian-esque situation, if you
> will.
>
> Why is neither used by the masses? Because nobody changes their
> settings: https://www.imperialviolet.org/2011/09/07/convergence.html
> That's going to be a hard problem to solve.
The reason I stopped using it is that the trusted notaries sign a
certificate with their own CA-key. It removes the original certificate
from view. It's therefore indistinguishable from a MitM attack.
Perspectives, on the other hand, adds an extra out of band validation
that tells me why it comes to a certain result.
Please see screenshot with Convergence and plain Firefox:
http://witmond.nl/conv-mitm.png
Cheers, Guido.
More information about the liberationtech
mailing list