[kwlug-disc] Blue Coat

B.S. bs27975.2 at gmail.com
Sat May 28 21:34:44 EDT 2016


Ouch! So much for the idea of CA's, and certificates, being 'simple', I 
guess. Guess this is a much bigger topic than I thought.

And, you lost me.

In essence, the OP triggers the idea of revoking trust of (intermediary) 
CA's that we might not want to trust.

I guess your pinning is essentially a client caching a site's cert. I 
guess, for the site owner, this prevents someone else from 'spoofing' them.

However ... if that first cert fetch came from one of these 
untrustworthy CA intermediaries - has one accomplished anything?


On 05/28/2016 08:10 PM, Hubert Chathi wrote:
> On Sat, 28 May 2016 15:11:39 -0400, Bob Jonkman <bjonkman at sobac.com> said:
>
>> There are trusted CAs in the browser, and there are trusted CAs in the
>> OS.  Untrusting one of these CAs works only until the next browser
>> update or OS CA store update.
>
>> I used to diligently untrust CAs like DigiNotar and Comodo, both of
>> which have issued bogus certificates in the past. It's yet another
>> game of computer whack-a-mole, they keep on popping up as fast as you
>> can beat them down. I don't do that any more; now I just hold my
>> breath and hope I don't get pwnd.
>
> Site owners can somewhat mitigate the threat by using key pinning -- as
> long as your first visit to the site is secure, during subsequent
> visits, your browser will know which key/CA to expect.  It's kind of
> scary to use it, though, because if you make a mistake then it means
> that your site is inaccessible for a while, which is probably why it
> isn't more widely used.
>
> In theory, an extension such as Perspectives[1] could also help, by
> comparing the certificate that your browser sees with what other servers
> (called notaries) see.  However, the default set of notaries in
> Perspectives in deficient; see the comments for suggestions on notaries
> to use.  You can also run your own notary (though, of course, it only
> works if your notary lives in a different area of the Internet than you
> do).  It doesn't work very well, however, with some sites that use many
> different certificates at once and/or who rotate their certificates very
> frequently.
>
> [1] https://addons.mozilla.org/en-US/firefox/addon/perspectives/





More information about the kwlug-disc mailing list