[conspire] SSL cert scandal: practical steps
rick at linuxmafia.com
Tue Sep 13 15:49:08 PDT 2011
At Saturday's CABAL meeting Paul Zander asked if I could boil down the
SSL Web site cert problem to a practical recommendation.
Fair question. Not easy to answer.
As an immediate bandaid, I still like the CertWatch (Certificate Watch)
Firefox extension, because it's dirt-simple and easy to understand.
Basically, any time an SSL cert or cert intermediate signature or root
certificate authority changes or is used for the first time, a dialogue
pops up to tell you so. That's it. That's all it does.
But that means that if you've been using https://www.bankofamerica.com/
for some months with CertWatch, and suddenly at your next visit
CertWatch pops up a note that the site has a new SSL cert with different
hash fingerprints, and it's now signed by Disig, A.S. of Bratislava
instead of Verisign, you are aware of the change, instead of oblivious
because the same 'lock' icon gets displayed for Disig certs as for
You will get false 'alarms', because of new cert issuances for benign
reasons (and who's to say BofA shouldn't move its cert business to
Slovakia). But now at least you'll be aware of those events and can
choose whether to investigate or not, whereas before you weren't even
So, short version: Use CertWatch.
In the long term, we just need something less brittle than the current
Web-cert PKI regime, period, and that won't happen quickly or easily.
More information about the conspire