[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 28/04/13 20:58, Brad Rogers wrote: > >> the "web of trust" of certificate authorities to the point where many > > The cert authorities don't do web of trust, unless I've missed > something. They simply sell a 'certificate' to anyone with the money to > pay for it. You or I could buy one. The certificate authorities all do some sort of check aside from taking your money. The issue is you are reliant on the security, integrity and checks of the weakest of the certificate authorities that your browser trusts. So the list doesn't scale well, and currently in my browser has a lot of entries. Apparently my browser trusts Vodaphone, and Versign, Google, AOL, Deutsche Telekom, Microsoft, organisations in Turkey whose name I can't even read the alphabet for, and various banks and companies in Japan, Switzerland, America, South Africa etc. The Web of Trust scales better, since you are reliant on a small number of people you trust to introduce others. There is also gradation of trust (well a little). Both can be subverted, but they are typically used for different things. If I get a GPG signed email which is in my web of trust, it is likely to be reporting a security issue and the encryption is for privacy. Obviously if I use it for immediate wire transfer I need to be more careful. But even then it is unusual to exchange sensitive information via email with people you've never met unless you are directly introduced via a third party (hopefully someone in your web of trust). If I connect to my bank via HTTPS the security is to prevent immediate theft/fraud, typically I don't check the details beyond "it works without errors". There is a partial solution to the dodgy certificate authority issue, which is the use of an HTTPS certificate notary. Instead of simply checking the certificate is valid, you also check with a trusted third party (or more than one if really paranoid) if this is the same certificate other people are seeing for the same website (and also if it has changed recently). Thus if you are in Iran, and contact accounts.google.com over https to login to google mail, and receive a certificate from a Turkish certificate authority, rather than the one you've had previously from Google's certificate authority, your browser checks with the notary and flags up a discrepancy. HSTS will be the technology for improving HTTPS security in 2013 (it is already keeping most of us safer using Google and Paypal and you probably never noticed). It is there and working in Chrome and Firefox, and is one header in your web server to set up, so easy and simple with no real downside. Notary type checks will probably take a few years more to become the default behaviour in browsers, but unless a better solution emerges, I'm pretty sure it will happen because all certificate authorities are not created equal. Let us hope it doesn't take a major cock-up for it to happen. If you have a trusted third party who checks if certificates are trustworthy, you arguably may not need the certificate authorities. Since they could validate that self signed certificates are consistent over time, or manage your list of trusted authorities in some other way. Much money could be at stake during this transition. Of course none of this protects you from a genuine but stolen certificate, or a compromised remote server, which are probably bigger threats for most people (but not all). -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq