Google: Maintaining digital certificate security

Posted Mar 25, 2015 15:33 UTC (Wed) by gerv (guest, #3376)
In reply to: Google: Maintaining digital certificate security by cesarb
Parent article: Google: Maintaining digital certificate security

If this is the first time you've ever connected to a site, it's less likely you are going to be doing high value transactions on it. Most web visits are to places people have been before. HPKP is not perfect, clearly, but for sites which adopt it, it mostly removes this risk.

Gerv

Google: Maintaining digital certificate security

Posted Mar 25, 2015 16:24 UTC (Wed) by josh (subscriber, #17465) [Link]

As much as people make fun of QR codes and similar, one of these days, I'd love to see a standard for an easily-scanned barcode that includes not only a URL but the expected public key of that URL. That provides continuity from, for instance, the physical entity of your bank and a secure connection to their website.

Google: Maintaining digital certificate security

Posted Mar 25, 2015 21:05 UTC (Wed) by cesarb (subscriber, #6266) [Link] (1 responses)

> If this is the first time you've ever connected to a site, it's less likely you are going to be doing high value transactions on it. Most web visits are to places people have been before.

That's not a strong argument.

First, if my home connection (or work connection) is persistently MITM'ed, and I always (or almost always) use it, it's likely that both the first visit and all subsequent visits to any site will be MITM'ed.

Second, let's take a real example: online banking. The first time I ever connect to it, I set up the online password by using the ATM password. The online banking website asks for the ATM password as an extra verification when doing important transactions. That is, the first time I connect to that online banking website is precisely when I need the most for it to NOT be MITM'ed.

Sure, HPKP can remove a lot of the risk in many situations (nomadic devices, MITM starting after you've already visited the site, etc), but there are several situations in which it doesn't help.

Google: Maintaining digital certificate security

Posted Mar 25, 2015 21:34 UTC (Wed) by dlang (guest, #313) [Link]

no security is absolute, but if your home system is targeted by a persistent MITM that's after you and faking the sites you connect to, what are the odds against them doing a black-bag job on your system?

There are a lot of cases where something like this does help, and if it can be coupled with something like the ssh key update things so that planned migrations from one key to another don't generate noise for users, there would be a lot of value in it.