A mighty fortress is our PKI
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Jul 28 09:38:22 EDT 2010
Paul Tiemann <paul.tiemann.usenet at gmail.com> writes:
>I like the idea of SSL pinning, but could it be improved if statistics were
>kept long-term (how many times I've visited this site and how many times it's
>had certificate X, but today it has certificate Y from a different issuer and
>certificate X wasn't even near its expiration date...)
That's the key-continuity model, which has been proposed a number of times for
Firefox, for example here's a discussion by a FF developer from over two years
ago on this, http://blog.johnath.com/2008/04/16/security-ui-in-firefox-3plus1/
(that's specific to FF, I don't know what the IE, Opera, Safari, ... guys talk
about). There's no sign of it gaining any traction.
I hate to be the perpetual wet blanket here but the problem isn't a lack of
ideas (many backed by extensive real-world research) but a lack of motivation
in browsers to change the security mechanisms and UI, most of which have
remained essentially unchanged (except for cosmetic rearrangement of the
chrome every release or so) since the debut of SSL in 1995. That's the
mastodon in the room, we can debate ideas pretty much forever but if no
browser vendor is interested in adopting any of them it isn't going to help
secure users.
(Having said that, it's fun to throw around ideas, so I'm not complaining
about that bit).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list