[Cryptography] hard to trust all those root CAs
Dave Howe
davehowe.pentesting at gmail.com
Thu Jul 24 06:51:25 EDT 2014
On 23/07/2014 13:32, John Denker wrote:
> On 07/22/2014 03:07 PM, Jerry Leichter wrote:
> > I forget the name, but there was a plugin that would warn you of
> > unexpected changes in location of the CA.
>
> It can't be a very successful solution, if people refer
> to it in the past tense, and can't remember the name.
Well, I do have Certpatrol - but Ironically, it was the larger providers
that make it useless; by issuing different certs to different servers in
the same loadsharing farm, they caused the system to alert almost
constantly.
Certpatrol allows you to pin one layer up (i.e. pin the CA, not the end
certificate) which cuts down on some of the noise (such as google
properties, thankfully) but not all of them. It only takes a few days
of the thing crying wolf before users uninstall., and knowing which
sites to CA pin (and understanding what that actually means) is another
issue.
More information about the cryptography
mailing list