[conspire] https TLS(/"SSL") certs (was: Re: Risks ...)
Rick Moen
rick at linuxmafia.com
Fri Mar 29 19:19:42 PDT 2019
Quoting Michael Paoli (Michael.Paoli at cal.berkeley.edu):
Yes, as Rick is often quick to point out :-) the https Certificate
> Authority (CA) situation is (paraphrasing?) quite a mess.
FWIW, the magnitude of this con job wasn't apparent to me until I read
Bruce Schneier's novice-friendly book _Beyond Fear_, which has an entire
chapter devoted to an expose of the Certificate Authority problem,
explaining in detail why the CA model for https is not just a 'mess' but
basically a fraud against the public.
I recommend that book to interested observers.
> So, ... there's CAA Resource Records (RR)s [...]
Cool, I'm among today's Lucky 10,000[1] on this subject. Which is to
say, I hadn't heard until today about this useful addition to the global
DNS, which I will hasten to implement for linuxmafia.com. Thanks!
> Anyway, CA cert stuff - certainly a messy imperfect, uh, "solution".
> But that doesn't mean it can't be improved upon [...]
I probably have mentioned it before, but will do so again: There's a
Firefox extension called Certificate Watch
(https://certwatch.simos.info), that is/was IMO a brilliant hack:
It simply keeps track of https cert and who attests to them, and pops up
a notification dialogue if the cert or its CA attestation _changes_.
Thus, it has the virtue of extreme simplicity. It doesn't aspire to
tell you why the cert or its attestation changed, just that it did,
e.g., that your bank cert that used to be attested by VeriSign is
suddenly a different cert attested by a CA in Iran.
I say 'is/was' because Firefox's recent abandonment of its longtime
extensions API doubtless broke it for users who've continued to use new
Firefox versions, but that's a whole different subject.
[1] https://www.xkcd.com/1053/
More information about the conspire
mailing list