LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Certificates and "authorities"

Certificates and "authorities"

Posted Sep 8, 2011 16:28 UTC (Thu) by karim (subscriber, #114)
Parent article: Certificates and "authorities"

Someone must've suggested this already, but why not just create a "distributed" cloud service that caches certs as seen by users with their frequency and geographic location? Browsers could then have a plugin that connects to that cloud to compare the certs they're getting and those already cached. Surely if 90% or Iranians are seeing one cert and 90% of users elsewhere are seeing something else then there's an issue with that cert. Obviously the issue then is making sure that the info you're getting from that service is accurate ... but the point is that that system would gain resilience through decentralization (vs. the CAs which are centralized.)

Not a be-all and end-all solution, but at least something that can be layered on top of what we have today and that provides an extra barrier of sorts.

(Log in to post comments)

Certificates and "authorities"

Posted Sep 8, 2011 16:53 UTC (Thu) by pspinler (subscriber, #2922) [Link]

That sounds like just pushing the problem back one level. A large scale determined MITM attack like this would just add the suggested cloud to the dns/cert/service list they suborn.

-- Pat

Certificates and "authorities"

Posted Sep 8, 2011 19:18 UTC (Thu) by karim (subscriber, #114) [Link]

But, but, but ... isn't this the industry where there isn't a single problem you can't solve by adding another layer?!?!? ;)

Seriously, though, I knew this would come up and you're right. Which is why we'd get a "here's a solution"/"that's not enough"-rinse-wash-repeat situation until something would come out of it (or not.) It's just the basis of an idea which I totally agree would need much more work. The benefit, though, is to leverage what's already there.

FWIW

Certificates and "authorities"

Posted Sep 12, 2011 17:21 UTC (Mon) by Chocrates (guest, #67068) [Link]

Then wouldn't it be noticable that large geographical regions have no data? Or manufactured data?

Certificates and "authorities"

Posted Sep 14, 2011 15:14 UTC (Wed) by karim (subscriber, #114) [Link]

That's brilliant. Indeed it seems that that would be an interesting side effect.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds