Giving every CA the power to issue certificates for the whole web is insane. And depending on unauthenticated DNS to bootstrap the connection equally bonkers. Shouldn't we just use dnssec to have each domain publish it's own root certificate and be done with CA's for good? It would solve both issues and we wouldn't have to pay a third party just to be able to encrypt HTTP for our own domains.
Having to pay a substantial fee for a certificate that assures you own a domain is insane.
This technology needs to be improved. Encrypted and authenticated HTTP connection should be a default not a premium feature that site owners need to pay for.
Why wild card certs are so much more expensive than single domain certs? From CA's infrastructure and verification point of view there shouldn't be any additional cost associated with issuing a wild card cert.
Doesn't dnssec still rely on a trust authority counter-signing? It may make it easier for browsers to be cautious but is hardly going to stop regimes like China.
A better solution would be to tie all DNS records to a key on a hardware device that can be in the actual hands of the website operator (in a safe). What users want to know is that the website they visited yesterday is the one they visited today. Physical security of a single key that is never allowed to change is a better way to guarantee that than key chains.
"Science itself organized the German National Research and Education Network, DFN, the communications network for science and research in Germany. It connects universities and research institutions with one another and has become an integral part of the European and worldwide community of research and education networks."
Everyone can be a certificate authorithy. The problem is that browsers only recognize a small number of authorities and display a scary message for others.
The certificate pinning in chrome is not an universal solution to the problem. It just a built-in list from google that hardcode what certificates are "correct" for a short list of domains. The RFC for expanding the concept to a more universal approach is to do as ssh, by remembering certain attributes from the first time a client connect to a server.
ChannelID seems to operate in the same fashion. The first connection from Client->Server is completely without any security, but further connections can be verified.
I hadn't heard of ChannelID before now, but that draft is clearly talking about client, not server authentication; it's a way for you to prove to HN that you're really 'codeka', not a way for HN to prove to you that it's really Hacker News (which is what SSL certs do).
Perhaps, but I imagine it will easily be a decade before >90% of deployments are on browser versions that support Cert Pinning and ChannelID... think of all those enterprise deployments, universities and banks.
TACK (http://tack.io/), if widely implemented, would help a lot. As I understand it, if you visited a website regularly before it was compromised, then any future compromise along the lines described in the article (i.e., without stealing the server's private key) wouldn't affect you. I'm not sure if TACK is still alive or how on-board with it any browser developers are.
The vulnerabilities mentioned seem to apply to large scale public websites. If a company serves a website for internal use then it unlikely to be a direct target. Could any of the vulnerabilities expose company data to large scale government data collection? It seems unlikely in the US but what about other authoritarian countries who have full control over their networks?
[+] [-] pedrocr|12 years ago|reply
[+] [-] mixedbit|12 years ago|reply
This technology needs to be improved. Encrypted and authenticated HTTP connection should be a default not a premium feature that site owners need to pay for.
Why wild card certs are so much more expensive than single domain certs? From CA's infrastructure and verification point of view there shouldn't be any additional cost associated with issuing a wild card cert.
[+] [-] 7952|12 years ago|reply
A better solution would be to tie all DNS records to a key on a hardware device that can be in the actual hands of the website operator (in a safe). What users want to know is that the website they visited yesterday is the one they visited today. Physical security of a single key that is never allowed to change is a better way to guarantee that than key chains.
[+] [-] LinaLauneBaer|12 years ago|reply
https://www.eff.org/files/colour_map_of_CAs.pdf
Even the very small university I went to (their organization is terrible by the way) is a certificate authority. How is that even possible?
[+] [-] LinaLauneBaer|12 years ago|reply
They all are "trusted" by the DNF which is the German Research Network.
https://www.dfn.de/en/
"Science itself organized the German National Research and Education Network, DFN, the communications network for science and research in Germany. It connects universities and research institutions with one another and has become an integral part of the European and worldwide community of research and education networks."
[+] [-] antninja|12 years ago|reply
[+] [-] codeka|12 years ago|reply
certificate pinning is already in Chrome, and I think ChannelID is coming soon (if not already).
ChannelID: http://tools.ietf.org/html/draft-balfanz-tls-channelid-00
[+] [-] belorn|12 years ago|reply
ChannelID seems to operate in the same fashion. The first connection from Client->Server is completely without any security, but further connections can be verified.
[+] [-] graue|12 years ago|reply
[+] [-] kniht|12 years ago|reply
[1] https://code.google.com/p/chromium/issues/detail?id=136462#c...
[+] [-] cbhl|12 years ago|reply
[+] [-] DASD|12 years ago|reply
[+] [-] graue|12 years ago|reply
[+] [-] itistoday2|12 years ago|reply
https://www.eff.org/encrypt-the-web
[+] [-] itistoday2|12 years ago|reply
http://comments.gmane.org/gmane.network.curvecp/65
http://i.imgur.com/VMDdTQ3.png
[+] [-] jacob019|12 years ago|reply
[+] [-] computeruser123|12 years ago|reply
[deleted]