Advertisement
GStreamer Conference 2013, 22-23 Oct, Edinburgh
GStreamer, Embedded Linux, Android, VoD, Smooth Streaming, DRM, RTSP, HEVC, PulseAudio, OpenGL. Register now to attend.
| |||||||||||||
Warning about certificate changes doesn't work in todays worldWarning about certificate changes doesn't work in todays worldPosted Sep 28, 2013 8:00 UTC (Sat) by ras (subscriber, #33059)Parent article: Encouraging a wider view
> Ts'o doesn't know how to solve the CA problem, but did have a selfish request: he would like to see certificates be cached and warnings be issued when those certificates change.
I had the same lament as Ted a year or two ago, which I mentioned to a Mozilla developer. He pointed me to a Firefox plugin called certificate patrol that does just what Ted asks. I installed it immediately.
After a few months I turned it off. You get flooded with warnings about certificates changing, particularly from Google sites.
The problem is Content Delivery Networks. The pages owners (quite rightfully) issue a different certificate to each machine that serves the same page. In Google's case the number of machines is so large there is no way you will meet them all in a reasonable time frame. No only does Google own a large number of machines. They serve their pages from a large number of domains, so just whitelisting domains doesn't work either.
In the end, I concluded checking for certificate changes is one of those seemingly straightforward ideas that doesn't work.
(Log in to post comments)
Warning about certificate changes doesn't work in todays world Posted Sep 28, 2013 8:54 UTC (Sat) by peter-b (subscriber, #66996) [Link]
In that context, the obvious solution seems to be to trust the next certificate up in the hierarchy of trust, surely? If Google are using that many certificates, surely they are deriving them from a "Google root certificate" rather than purchasing them all individually from the CA...?
Warning about certificate changes doesn't work in todays world Posted Sep 28, 2013 22:04 UTC (Sat) by dark (subscriber, #8483) [Link] I think it mainly requires a new feature: the ability to say "remember this certificate, but remember the older ones too". That'll help with sites that keep switching between certificates.The problem with Google only really started when they started using two different roots, which is something they're doing on purpose to prevent API users from hardcoding their original root cert. Does anyone know if certpatrol is still being developed?
Warning about certificate changes doesn't work in todays world Posted Sep 29, 2013 6:33 UTC (Sun) by ras (subscriber, #33059) [Link]
> In that context, the obvious solution seems to be to trust the next certificate up in the hierarchy of trust, surely?
I had not thought about it that deeply - but now that you mention it - yes. When I installed it that is what I thought it would do. It is after all the signing cert that you are trusting. The rest are irrelevant.
That highlights another design flaw in the X509 PKI system I guess. A single signing bit was a mistake. Something that allowed the owner of foo.com to sign anything under foo.com (but nothing else) would be far more useful.
> I think it mainly requires a new feature: the ability to say "remember this certificate, but remember the older ones too". That'll help with sites that keep switching between certificates.
Funny. I though it did that. Clearly I didn't think about it deeply enough, as it obviously doesn't.
> Does anyone know if certpatrol is still being developed?
It was updated regularly until October 14, 2011. Then nothing. So no. But it is open source, so the world would be a better place if someone picked up the ball. :D
|
|||||||||||||