On 4/15/2014 7:43 AM, nobody wrote:
I just wondered... what is the pull back regarding Convergence to put it in
the webbrowsers by default?
The main issue is who are the notaries? If they're simply reflecting
back "Yup, I see this valid CA cert" then they aren't adding a whole lot
of value for the amount of risk they introduce, and if they're making
their own judgement about the validity of the certificates on some other
ground they just become a type of Certificate Authority themselves. Who
pays for that infrastructure, and what is their motive?
Firefox and Chrome are both working on implementing "key pinning" (and
participating in the standardization process for it) which won't "free
us from the CA system" but will at least ameliorate one of the worst
aspects which is that any two-bit CA anywhere in the world can issue a
certificate for any site, anywhere.
The IETF is working on standardizing "Certificate Transparency", Chrome
is implementing it, and at least one CA is participating. This again
doesn't free us from the CA system, but it does make the public
certificates auditable so that mis-issuance could theoretically be detected.
Or I hack the router you
use to access the internet... all of the notaries you try to talk to I
redirect to me. I say every site is
valid regardless if it is or not. How is this more secure?
I haven't looked at the technical details of convergence but presumably
it requires a secure connection to the notary or better that the notary
responses are signed by the notary. If the communication with the notary
is unreliable then it's no help at all.
The main practical problems with convergence are that it introduces a
dependency on traffic to a 3rd party which hurts privacy, reliability,
and performance. These are similar to the problems we have today with
OCSP revocation checking.
-Dan Veditz
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
