Moxie Marlinspike's Solution To the SSL CA Problem 189
Trevelyan writes "In his Blackhat talk on the past and future of SSL (YouTube video) Moxie Marlinspike explains the problems of SSL today, and the history of how it came to be so. He then goes on to not only propose a solution, but he's implemented it as well: Convergence. It will let you turn off all those untrustable CAs in you browser and still safely use HTTPS. It even works with self-signed certificates. You still need to trust someone, but not forever like CAs. The system has 'Notaries,' which you can ask anonymously for their view on a certificate's authenticity. You can pool Notaries for a consensus, and add/remove them at any time."
Web Of Trust (Score:3, Informative)
Web Of Trust, really, are you fucking kidding me? This has been implemented for how long already? Thawte personal certificates for e-mail work like that, with "trusted" notaries and shit.
And this is somehow a NEW AND REVOLUTIONARY idea, because it has a Web 2.0 name like "Convergence"?
Sheesh, the shit one has to put up with.
changes from Perspectives (Score:5, Informative)
From the talk, Convergence is based on Perspectives, with some updates:
- Once a client has confirmed a certificate through the notaries, it is cached locally. Future contacts for that site will not need re-notarization until the site's cert is changed. That way your browsing history is not exposed through your notary contacts very often.
- Contact to the notaries can be done through a trusted proxy over SSL, to protect exposure of your browser history.
- The user can choose one or more notaries, and choose to distrust any of them at any time.
- Each notary can use any backend validation method it wants. It could check certs stored in DNSSEC, it could use the existing CA system, the EFF will have one that uses their SSL observatory, etc.