[kwlug-disc] Blue Coat
B.S.
bs27975.2 at gmail.com
Sat May 28 21:34:44 EDT 2016
Ouch! So much for the idea of CA's, and certificates, being 'simple', I
guess. Guess this is a much bigger topic than I thought.
And, you lost me.
In essence, the OP triggers the idea of revoking trust of (intermediary)
CA's that we might not want to trust.
I guess your pinning is essentially a client caching a site's cert. I
guess, for the site owner, this prevents someone else from 'spoofing' them.
However ... if that first cert fetch came from one of these
untrustworthy CA intermediaries - has one accomplished anything?
On 05/28/2016 08:10 PM, Hubert Chathi wrote:
> On Sat, 28 May 2016 15:11:39 -0400, Bob Jonkman <bjonkman at sobac.com> said:
>
>> There are trusted CAs in the browser, and there are trusted CAs in the
>> OS. Untrusting one of these CAs works only until the next browser
>> update or OS CA store update.
>
>> I used to diligently untrust CAs like DigiNotar and Comodo, both of
>> which have issued bogus certificates in the past. It's yet another
>> game of computer whack-a-mole, they keep on popping up as fast as you
>> can beat them down. I don't do that any more; now I just hold my
>> breath and hope I don't get pwnd.
>
> Site owners can somewhat mitigate the threat by using key pinning -- as
> long as your first visit to the site is secure, during subsequent
> visits, your browser will know which key/CA to expect. It's kind of
> scary to use it, though, because if you make a mistake then it means
> that your site is inaccessible for a while, which is probably why it
> isn't more widely used.
>
> In theory, an extension such as Perspectives[1] could also help, by
> comparing the certificate that your browser sees with what other servers
> (called notaries) see. However, the default set of notaries in
> Perspectives in deficient; see the comments for suggestions on notaries
> to use. You can also run your own notary (though, of course, it only
> works if your notary lives in a different area of the Internet than you
> do). It doesn't work very well, however, with some sites that use many
> different certificates at once and/or who rotate their certificates very
> frequently.
>
> [1] https://addons.mozilla.org/en-US/firefox/addon/perspectives/
More information about the kwlug-disc
mailing list