Researcher releases tool for replacing certificate authorities

Bl8ckr0uter

Black Hat: Researcher releases tool for replacing certificate authorities - SC Magazine US

Forsaken_GA

The tool, called Convergence, is an add-on for the Firefox web browser, which essentially inverts the current CA system, giving more power to users.

Gee, I can't think of ANYTHING that could possibly go wrong with that.

the_Grinch

LOL (damn 7 character minimum)

tiersten

Uhh. The various browsers already let you alter what CA certs you have and trust. What exactly does this tool do apart from make it a bit easier to pick?

Forsaken_GA

tiersten wrote: »

Uhh. The various browsers already let you alter what CA certs you have and trust. What exactly does this tool do apart from make it a bit easier to pick?

From the article -

The tool allows users to decide which organizations to trust, instead of having to rely on the decisions of a site's administrator. Users would be able to take their pick of so-called “trust notaries," which would authorize their communications by default.


So basically, the user gets to choose who the root CA's are, instead of the companies who buy their certs. Which makes a degree of sense, since users basically don't have a choice but to trust folks like thawte, comodo, and godaddy, we get no say in who authenticates the cert, only the site owner, and the site owner has a limited number of options.

I, however, do not see this as any kind of improvement over the current situation. I think it might actually make it worse. I mean, seriously, how farfetched would it be for a piece of malware to install a "trust notary" without the average users knowledge? As much as we hear about this and that companies server getting pwned, I'd be willing to bet good money there's an exponential number more end hosts that are in a worse state of pwnage.

And the trust notaries have the potential to suffer from the same incompetence as the popular CAs. This solution is just the kids moving stuff around the room and then proudly proclaiming to mommy and daddy "look, i cleaned it!"

tiersten

Forsaken_GA wrote: »

So basically, the user gets to choose who the root CA's are, instead of the companies who buy their certs. Which makes a degree of sense, since users basically don't have a choice but to trust folks like thawte, comodo, and godaddy, we get no say in who authenticates the cert, only the site owner, and the site owner has a limited number of options.

You can do that now though. I can say oh I don't trust Verisign at all! and disable or remove the Versign CA certificates. You also able to add your own CA certificates as well if you have some obscure CA you want or you're running your own in house CA.

Forsaken_GA

tiersten wrote: »

You can do that now though. I can say oh I don't trust Verisign at all! and disable or remove the Versign CA certificates. You also able to add your own CA certificates as well if you have some obscure CA you want or you're running your own in house CA.

Right, the problem is, if I say I don't trust Verisign, then any site signed with Verisign certificates is going to give me a warning. There's nothing the remote site administrator can do about that except change certificate providers.

However, if site owners were to register with multiple trust notaries, then I could determine at my leisure which of them I wanted to trust, and it wouldn't necessarily effect m experience if I decided I didn't like someone.

It basically flips the roles of site admin and end user when it comes to who decides what entity's get to issue trust.

I get it conceptually, but I'm not entirely sure what problem it fixes. Assuming users are better informed about the merits or foibles of a Root CA provider is a laughable prospect.