Hacker News new | past | comments | ask | show | jobs | submit login

If people really listened to Snowden they wouldn't be relying on CA authorities for certificates.



There have been fradulent certificates in the wild in the past but the CAs doing it usually get kicked out pretty quickly. That's what Google's certificate transparency project is for. And they are increasing requirements further and further. Hopefully one day we'll get to a state where the infrastructure of multiple independent companies in different countries needs to be compromised in order for one successful forgery. But even now certificate transparency has greatly reduced the number of entities able to forge certificates.


The problems is, companies like VeriSign offer LEA services

Quoting https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1591033

“Verisign also operates a ‘Lawful Intercept’ service called NetDiscovery. This service is provided to ‘... [assist] government agen- cies with lawful interception and subpoena requests for subscriber records.’

If you now try to search for NetDiscovery or LEA services for CAs, you won't find any, but I guarantee you they haven't disappeared anywhere.


The CA doesn't have anything that helps you do Lawful Intercept. They just vouch for people's identities.

If you can persuade them to fraudulently vouch for your agency as being some other subscriber then this unavoidably produces a smoking gun which everybody can see, just like when Israel produces fake passports so its agents can travel abroad to murder people.

It doesn't let them passively intercept. The CA could not, gun to its head, help you do that. The mathematics just doesn't work that way, any more than the US Federal Reserve could intervene to make three dollars twice as many as five dollars.


That paper is from April 2010 which is a different age in terms of internet encryption. Just for comparison, Google only started offering an encrypted version of its service in May 2010: https://googleblog.blogspot.com/2010/05/search-more-securely...

They quickly realized the problems that you describe. In Nov 2011, the Certificate Transparency project by Google had its initial commit: https://github.com/google/certificate-transparency/commit/6a...

In Chrome they have since enforced CT compliance for certificates: https://groups.google.com/a/chromium.org/forum/#!msg/ct-poli...

CT requires that each certificate issued needs to be contained in both a Google log and a non-Google log: https://github.com/chromium/ct-policy/blob/master/ct_policy....

This means that fradulently issued certificates either won't work, or will be contained in public logs run by Google (or Google needs to be forced by authorities as well).


State actors.


I don't consider a cert trustworthy just because it's signed by a CA, unless that CA is mine or one run by someone I personally know and trust. I came to this position before Snowden, though.


In the CA model is anything 100% yours? A signed cert has to depend on someone you dont know.


> A signed cert has to depend on someone you dont know.

No, it doesn't. If it's signed by my own CA, then I clearly know who signed it. Likewise if it's signed by a CA run by someone else I actually know.

The point of the signing is to have someone I trust validate that the cert they signed is trustworthy even if I don't know the entity that made the cert they signed.


Unless it's self-signed. Presumably you do know yourself well enough?


I feel like Namecoin and Ethereum Name Service are the most promising replacements for certificate authorities that I'm aware of. Are you aware of any better suggestions?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: