[guardian-dev] CACertMan app to address DigiNotar & others
Hans-Christoph Steiner
hans at at.or.at
Tue Sep 6 12:05:37 EDT 2011
On Sep 5, 2011, at 9:53 AM, Jason wrote:
> On Sun, Sep 04, 2011 at 11:06:46PM -0400, Nathan of Guardian wrote:
>> As I expect many of you are aware, there was a major compromise to a
>> Dutch Certificate Authority named "DigiNotar" recently, where they
>> allowed SSL certs for domains like *.google.com, *.torproject.org and
>> even *.cia.gov as well as *.*.com to be issued.
>>
>> It was brought up to the contribs of CyanogenMOD that they should
>> probably remove the DigiNotar CA cert from the built-in Android OS
>> keystore (located at /system/etc/security/cacerts.bks). Since they
>> have
>> 500k+ users, and can be more nimble than other ROM/device
>> distributors,
>> it was seen as a way to quickly address the problem, at least within
>> their community. It turns out that it wasn't as easy to convince
>> them to
>> do this (even though Mozilla, Google Chrome, IE, etc already had).
>> You
>> can read the thread, but it is still an open issue:
>> http://code.google.com/p/cyanogenmod/issues/detail?id=4260
>
> As a side note, I hate the whole messy idea of deleting posts [1], I
> much prefer a ranking methodology (let the reader decide to ignore, or
> not).
>
>> In the meantime, I decided to do something proactive about this, and
>> took two approaches:
>>
>> 1) Create our own curated cacerts.bks file which rooted users could
>> install using 'adb' from their desktop and/or the 'Root Explorer' app
>> available in the market and elsewhere. Our version of the CACert file
>> removes DigiNotar, as well as CNNIC, a Chinese gov't-managed cert
>> authority who we have reason not to trust. Our goal is to continue to
>> audit, update and distribute our own cacerts file for users who
>> trust us.
>>
>> Install info:
>> https://raw.github.com/guardianproject/cacert/master/INSTALLATION
>> Guardian's CACert:
>> https://github.com/downloads/guardianproject/cacert/cacerts.bks
>>
>> 2) We also wanted to create an app that let the user decided which
>> certs
>> they wanted available, and which they didn't. Beyond this one CA
>> problem, there are potentially many more, and every handset
>> manufacturer
>> or carrier can also place their own CA certs into the system. We
>> need an
>> app to address today's and future CA threats.
>
> I've been looking at different approaches to this problem and the only
> one that I like so far is convergence [2]. The client and server are
> open source.
>
>> I have been hacking away on a solution to address this, and an
>> initial
>> test release is available for you. 'CACertMan' is a simple app that
>> loads up the system cacert store, allows you to back it up, search
>> for
>> certs, delete them, and then save it back to the system. You can
>> always
>> restore from your initial backup, as well. In the future we may allow
>> for a cert to just be disabled, but for now it is delete and/or
>> restore.
>
> Nice! definite improvement.
>
> thx,
>
> Jason.
>
> [1] http://groups.google.com/group/openkinect/msg/68fc40e3813477eb
> [2] http://www.convergence.io
Convergence looks interesting, but there website looks like a
marketing site. Even the "details" section fails to give any real
technical details. I guess its based on this:
http://perspectives-project.org/
Anyone have any more concrete info on what it is so we have an idea of
how we might implemented it outside of Firefox?
.hc
----------------------------------------------------------------------------
"[W]e have invented the technology to eliminate scarcity, but we are
deliberately throwing it away to benefit those who profit from
scarcity." -John Gilmore
More information about the Guardian-dev
mailing list