Fraudulent *.google.com certificate issued

Posted Aug 30, 2011 18:49 UTC (Tue) by rickmoen (subscriber, #6943)
In reply to: Fraudulent *.google.com certificate issued by dkg
Parent article: Fraudulent *.google.com certificate issued

Both Convergence and Monkeysphere seem like respect-worthy engineering attempts. I'd really love to see a hard look at both of them by some skeptical experts, as to both usability and security design/implementation. I'll confess I haven't yet given either of them a spin, partly because I'm guessing they require some study and setup before you can get much benefit.

For now, what I've used to mitigate the risk is CertWatch, which is blessedly simple and easy to fully understand: It merely keeps records about usage of SSL certs, root CAs, and intermediate certs in a sqlite database, lets you know every time you're using a new/changed SSL cert or CA root cert or intermediate cert for the first time. So, if suddenly my online banking login for $MY_BANK has an unexpected new cert, and especially if the new cert is from a different certificate authority that doesn't look familiar, I have the opportunity and option to be doubtful about site authenticity.

Rick Moen
rick@linuxmafia.com