[conspire] SSL cert scandal: practical steps

Rick Moen rick at linuxmafia.com
Tue Sep 13 15:49:08 PDT 2011


At Saturday's CABAL meeting Paul Zander asked if I could boil down the
SSL Web site cert problem to a practical recommendation.

Fair question.  Not easy to answer.  

As an immediate bandaid, I still like the CertWatch (Certificate Watch)
Firefox extension, because it's dirt-simple and easy to understand.
Basically, any time an SSL cert or cert intermediate signature or root
certificate authority changes or is used for the first time, a dialogue
pops up to tell you so.  That's it.  That's all it does.

But that means that if you've been using https://www.bankofamerica.com/
for some months with CertWatch, and suddenly at your next visit
CertWatch pops up a note that the site has a new SSL cert with different
hash fingerprints, and it's now signed by Disig, A.S. of Bratislava
instead of Verisign, you are aware of the change, instead of oblivious
because the same 'lock' icon gets displayed for Disig certs as for
Verisign ones.

You will get false 'alarms', because of new cert issuances for benign
reasons (and who's to say BofA shouldn't move its cert business to
Slovakia).  But now at least you'll be aware of those events and can
choose whether to investigate or not, whereas before you weren't even
aware.

So, short version:  Use CertWatch.

In the long term, we just need something less brittle than the current
Web-cert PKI regime, period, and that won't happen quickly or easily.





More information about the conspire mailing list