[guardian-dev] CACertMan app to address DigiNotar & others
elijah
elijah at riseup.net
Wed Sep 7 02:45:12 EDT 2011
On 09/06/2011 09:09 AM, Nathan of Guardian wrote:
> On 09/06/2011 12:05 PM, Hans-Christoph Steiner wrote:
>> Anyone have any more concrete info on what it is so we have an idea of
>> how we might implemented it outside of Firefox?
>
> It's Moxie: https://github.com/moxie0/Convergence
Moxie gave a talk at defcon about convergence [1], and if I remember
there are a few key improvements over perspectives:
(1) anonymity, so that some notaries act as one-step mini-onion-like
routes for other notaries.
(2) new rest api that allows you to create notaries that use different
rules for approve or rejecting certs
(3) improved speed and eliminates lag problem by sending the cert the
client sees to the notary.
convergence is pretty awesome, and has been working well for me, but one
issue with convergence is that it makes attacks against small sites
easier: if attacker is able replace your site entirely (via dns or bgp
attack, for example), a convergence user will happily connect to https
with no errors even if the attacker has a self signed cert. this could
potentially be fixed by adding features to the notaries [2].
monkeysphere has done more to create ssl libraries to allow support
outside browsers. i think there are any plans to do this yet with
convergence.
-elijah
[1] http://www.youtube.com/watch?v=Z7Wl2FW2TcA
[2] https://github.com/moxie0/Convergence/issues/26
More information about the Guardian-dev
mailing list