[Cryptography] "Trust in digital certificate ecosystem eroding"

Guido Witmond guido at witmond.nl
Sun May 3 14:01:43 EDT 2015


On 05/03/15 16:35, Michael Kjörling wrote:


> And how likely is the average user to make a correct judgment if, say,
> the CA for the web site for their bank (the certificate for which they
> accepted God knows when way back) changes from, say, "VeriSign, Inc."
> to "ValiCert, Inc.", or even "VISA"? Just look at how many end-users
> fall for even the worst examples of impersonating various banks and
> large companies in spam email.

For enlightenment value, ask colleagues, friends etc, who work in
IT-security if they can name the CA of their bank.

Answer: Most people don't know it, even though they know they should.



> ... to reduce the number of false warnings. 

Here is the clue for the solution. We need to take the human out of the
loop.

Solutions like CT, Perspectives, Certificate Patrol work from the
premise that we can monitor changes and determine which changes are good
and which are bad changes in measurements. The assumption is that there
is only 1 certificate per domain name.

With DNSSEC and DANE, the site-owner *specifies* which CA is the correct
one *for their own site*.

If the browser requires a DANE record, and a valid chain of delegation
from ICANN's Root key downwards, then the browser has enough data to
determine if a certificate matches a domain name.

The end user does not get false warnings, it either matches and the user
gets connected or there's an error and the broweser refuses connection.
Don't allow overrides!

It doesn't solve typosquatting, there are other solutions for that. [1]


Guido

[1]
http://eccentric-authentication.org/blog/2014/11/30/spot-the-differences.html


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150503/b8280d8c/attachment.sig>


More information about the cryptography mailing list