On 5/30/2014 12:00 PM, Gervase Markham wrote:
On 28/05/14 17:49, Joshua Cranmer 🐧 wrote:
We have an excellent chance to try to rethink CA infrastructure in this
process beyond the notion of a trusted third-party CA system (which is
already more or less broken, but that's beside the point). My own views
on this matter is that the most effective notion of trust is some sort
of key pinning: using a different key is a better indicator of an attack
than having a valid certificate; under this model the CA system is
largely information about how to trust a key you've never seen before.
There is a minor gloss point here in that there are legitimate reasons
to need to re-key servers (e.g., Heartbleed or the Debian OpenSSL
entropy issue), and I don't personally have the security experience to
be able to suggest a solution here.
Forgive me, but that sounds like "I'm going to propose a solution with
one glaring flaw that has always sunk it in the past, and then gloss
over that flaw by saying 'I don't have the security experience - someone
else fix it'."
Actually, that is essentially what I'm saying. I know other people at
Mozilla have good security backgrounds and can discuss the issue, and I
was hoping that they could weigh in with suggestions on this thread. I
acknowledge that the re-keying is a difficult issue, but I also don't
have the time to do the research myself on this topic, since I'm way
backed up on a myriad of other obligations.
Doesn't the EFF's SSL Observatory already track the SSL certificates to
indicate potential MITMs?
The SSL Observatory's available data is a one-off dump from several
years ago. They are collecting more data as they go along, but it's not
public.
The EFF does things that aren't public?! :)
More seriously, are they actively attempting to detect potential MITMs,
and would they announce if they did detect one? Andrew had in his
proposal a note that reporting of fingerprints could be used to detect
MITMs, and I was implying that this was duplicating work others were
already doing.
--
Joshua Cranmer
Thunderbird and DXR developer
Source code archæologist
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
