343 lines
26 KiB
Plaintext
343 lines
26 KiB
Plaintext
|
Episode: 2105
|
||
|
|
Title: HPR2105: 24 - SSL Certificates - Problems
|
||
|
|
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr2105/hpr2105.mp3
|
||
|
|
Transcribed: 2025-10-18 14:22:01
|
||
|
|
|
||
|
|
---
|
||
|
|
|
||
|
|
This is HBR episode 2105 entitled 24 SSL Certificates, Problems and in part on the series Privacy and Security.
|
||
|
|
It is hosted by AHUKA and in about 36 minutes long.
|
||
|
|
The summary is a discussion on the problem with SSL Certificates and some solutions.
|
||
|
|
This episode of HBR is brought to you by An Honesthost.com.
|
||
|
|
Get 15% discount on all shared hosting with the offer code HBR15. That's HBR15.
|
||
|
|
Better web hosting that's Honest and Fair at An Honesthost.com.
|
||
|
|
Hello, this is AHUKA welcoming you to Hacker Public Radio in another exciting episode.
|
||
|
|
This is part 2 of my talk on SSL Certificates and TLS and all that good stuff that I did at my local Linux users group.
|
||
|
|
Part 1 was about how SSL Certs work. This one is the conclusion and in this we look at some of the problems that we have with our system and some potential solutions.
|
||
|
|
So I think between the two of them if you listen to the first one and then this you'll have a pretty good idea of what's going on with SSL Certificates.
|
||
|
|
Now as before, this was recorded with a Sansa Clip Plus. I simply started recording, clipped it to my shirt. I didn't do anything else.
|
||
|
|
That's a really good way of recording me without any trouble at all.
|
||
|
|
The problem is it does not pick up anyone else in the room. So I edited out long stretches of what were essentially silence because it just couldn't pick up the voice of some of my long-winded interjectors in the room.
|
||
|
|
So I hope you enjoy it. I think it was a fun little piece to work on and we'll be seeing more of you around Hacker Public Radio. Bye.
|
||
|
|
Okay. Problems. There are problems. The problems are not the cryptography. Cryptography is well understood.
|
||
|
|
And Bruce Schneier who I tend to trust a good deal on these things says you can trust the math.
|
||
|
|
You know, that was, you know, when the Snowden revelations first came out and it was, oh my God, NSA is reading everything. Nothing is safe, blah blah blah.
|
||
|
|
And Schneier said, wait a minute. Wait a minute. Math is math. The NSA cannot break the rules of mathematics.
|
||
|
|
So cryptography is math. And if done properly is completely safe. You've got to take the time to know how to do it properly.
|
||
|
|
Although they do know who's talking to who. Oh, they do. You know, they can do traffic analysis. They can analyze the metadata.
|
||
|
|
Unfortunately, the IP address is still half the point in place. Yeah, you can't encrypt IP addresses at this point because otherwise you don't know how to send it.
|
||
|
|
Kind of like their comments with phones. I mean, they're who's talking to who. And that's almost as important as what they're saying. It frequently is.
|
||
|
|
So root authorities. By definition, nobody, the other than the browser manufacturer is vouching for the authority.
|
||
|
|
The browser manufacturer implicitly is vouching for them by the fact that they include that cert on their list of trusted root authorities.
|
||
|
|
That would be number one on the list. You can take a look. Okay. Here, for instance, we can see which ones Firefox. Now, you know, this thing can change over time.
|
||
|
|
But you can see, you know, who, who they're trusting? What are the list of them? And it's hundreds of these things.
|
||
|
|
Yeah.
|
||
|
|
I'm pretty sure, yes, old Henry snuck something in there. And, you know, that's the simplest way to do that is you just will stick our corporate cert in there and then just tell your computer to trust it.
|
||
|
|
But they wouldn't just do it for the browser. They would do it for the computer as a whole. If I were doing it, I would say Android.
|
||
|
|
We want to keep down the file size and all of this stuff. We'll just configure all Android phones to connect to Google's proxy server that will then, you know, you can do it that way.
|
||
|
|
So, yeah, these lists that there's hundreds of these certificate authorities, some of them are governments.
|
||
|
|
All right. Would you trust a certificate signed by the government?
|
||
|
|
It depends what I want to trust before.
|
||
|
|
Yeah.
|
||
|
|
I would trust it if my goal is just to get an encrypted session, but I don't hear it.
|
||
|
|
I'd be, you know, it depends if, you know, Cliff does, I know, consulting work for the Department of Defense.
|
||
|
|
So, you know, he probably has a certificate signed by the Department of Defense and it's like, well, yeah, you would if you were doing work for them.
|
||
|
|
I want to be careful here.
|
||
|
|
You said encrypted communication between two people. That's not really what we're talking about here.
|
||
|
|
If I wanted to have an encrypted conversation with Pritt Paul and it was desperately important that it be private, I would not be just relying on an x.509 cert to a website to do the job.
|
||
|
|
No.
|
||
|
|
But if they can convince you that they are this website you wish to connect to and you start carrying on a conversation now, they're doing a man in the middle attack.
|
||
|
|
Yeah.
|
||
|
|
And that has happened.
|
||
|
|
Unfortunately, a given with any CA.
|
||
|
|
Oh, yeah.
|
||
|
|
CA can do or spook anything they want.
|
||
|
|
So, you know, the one that my favorite one is the Hong Kong Post Office is a root certificate authority.
|
||
|
|
Now, browsers don't always agree that it's not like there's one list that all browsers accept.
|
||
|
|
Well, probably so if something comes through signed by one of those certs they can throw up a big warning that says this comes from an untrusted cert and should be disregarded.
|
||
|
|
All right, that would be my guess.
|
||
|
|
So, here's a famous case.
|
||
|
|
Did you know tar?
|
||
|
|
A Dutch certificate authority that was hacked in 2011.
|
||
|
|
It looks as if the hackers were affiliated with the Iranian government.
|
||
|
|
What was the Iranian government doing?
|
||
|
|
All right.
|
||
|
|
Assuming that was them, it's hard to prove these things.
|
||
|
|
Well, they were issuing fraudulent certificates for Google.
|
||
|
|
That would allow them then to do man in the middle attacks on Gmail users.
|
||
|
|
So, you're an Iranian dissident.
|
||
|
|
You're trying to communicate through Gmail.
|
||
|
|
All right.
|
||
|
|
I'm going to use HTTPS.
|
||
|
|
I'm going to get a secure connection to that Google server.
|
||
|
|
All right.
|
||
|
|
And the Iranian government has a certificate that says, yeah, we're Google and we get this signed by a rude authority.
|
||
|
|
So, yeah, tell us all about it.
|
||
|
|
Yeah, and the fact is when you log in they now have your login credentials.
|
||
|
|
So, they can then from there they can log into Google and present you all of your email files just as normal you wouldn't know.
|
||
|
|
Any level where you contain an ASM and a rude authority.
|
||
|
|
You pretty much own the store.
|
||
|
|
Yeah.
|
||
|
|
Okay.
|
||
|
|
Indeed.
|
||
|
|
And Google has been taking steps to deal with that.
|
||
|
|
So, another good case, the government of India, a government body, the National Informatics Center.
|
||
|
|
Issued certificates purporting to be from Google and Yahoo.
|
||
|
|
Now, the fortunate thing is this certificate authority presenting itself as a rude authority was never trusted by Google or Mozilla.
|
||
|
|
But it was trusted by Microsoft.
|
||
|
|
Now, presumably this, you know, what are the two biggest webmail providers out there?
|
||
|
|
I'm pretty sure it's Google and Yahoo, right?
|
||
|
|
So, yeah, there's a lot of stuff around the certificate authorities.
|
||
|
|
There's another one, the French government, Treasury Department there issued fake Google certificates and got them vouched for.
|
||
|
|
So, here's one.
|
||
|
|
This one was possibly just a blunder rather than a, you know, hack or something sinister.
|
||
|
|
But a couple of certs were issued.
|
||
|
|
Now, you know, a regular cert can only be used to validate your site.
|
||
|
|
An intermediate cert can be used to sign other certs.
|
||
|
|
So, it's a more powerful certificate.
|
||
|
|
And a couple of these were issued by mistake and one of them did go to the Turkish government.
|
||
|
|
You know, Turkish governments locking up journalists and stuff like that.
|
||
|
|
So, they're not cuddly.
|
||
|
|
So, let's say the Turkish government wanted to scan traffic hypothetically.
|
||
|
|
This requires getting in the middle.
|
||
|
|
Well, that's really similar to what companies do with traffic on their network.
|
||
|
|
So, if a company adds its cert onto your computer and says this is a trusted cert, you know, you're not going to get the same kind of warnings.
|
||
|
|
Now, with an intermediate cert signed by a root authority, I mean, you've already got all of the trust you need.
|
||
|
|
Unless you try to access Google using Chrome.
|
||
|
|
Because one of the things Google does now is, you know, anyone tries to access a Google site.
|
||
|
|
It is going to force a check back with the mothership to just say, you know, is this really the key that is supposed to go with this cert?
|
||
|
|
Is it legitimate?
|
||
|
|
So, it comes with a list of Google certs built in and it knows if there's anything funny.
|
||
|
|
And that does continue to happen regularly.
|
||
|
|
I see stories in the paper about, you know, someone was trying to pass themselves off as Google and Google caught them through this.
|
||
|
|
So, remember the man in the middle basically can create a secure encrypted connection both ends.
|
||
|
|
I can create it with you, the customer, I can create it with the website that you're trying to deal with.
|
||
|
|
And then just sit in the middle and read all the traffic as it goes by.
|
||
|
|
And if I can convince you that, yes, I am Google that's going to make it a whole lot easier.
|
||
|
|
And so I say, this is what corporate networks do legally to monitor their traffic.
|
||
|
|
And courts have consistently held, they have every right to do that.
|
||
|
|
And arguably they have every responsibility to do it because employees are idiots.
|
||
|
|
And we all know this.
|
||
|
|
And so, you know, someone's going to send an email that says, ah, you won't believe how funny this video is and someone will click on it.
|
||
|
|
And then there's this thing now called spear fishing, which is, you know, fishing is, you send out an email hoping to catch a few fish out there.
|
||
|
|
The spear fishing is, I'm going after Dennis because Dennis is the chief financial officer of this billion dollar company.
|
||
|
|
Just go with me on this. Just go with me on this.
|
||
|
|
So what I do is I do a little research, you know, what's, and you know, a little bit of research I discover, oh, well, you know, Dennis plays tennis.
|
||
|
|
And I start building a profile so I can send you an email that is targeted to your interests.
|
||
|
|
And I just have to get you to click on something and I get in.
|
||
|
|
And, you know, lately there've been a few interesting examples of this with people sending an email to the finance department of a bank and initiating a wire transfer that supposedly was authorized by the president of the bank or some other high executive.
|
||
|
|
It looks legitimate and the account, you know, finance department just starts initiating it.
|
||
|
|
And as I said, employees are idiots. You have to take that as a given in corporate security.
|
||
|
|
So recently, I think it was a Bangladesh bank.
|
||
|
|
The total transfer was supposed to be close to a billion, but it was caught after only 80 million was lost.
|
||
|
|
The 80 million disappeared into the Philippines and will probably never be heard from again.
|
||
|
|
And the only reason it was caught was they made stupid typos on one of the messages and a German intermediary just doesn't look right.
|
||
|
|
Something's funny here. I'm going to ask a question.
|
||
|
|
So anyway, the thing with the, you know, man in the middle stuff is on a company network, you know, you have a self-signed certificate, but it's designated as trusted because the IT department has the power to do that.
|
||
|
|
Unless you are using Chrome to access Google, in which case you should get a warning.
|
||
|
|
You know, that man in the middle is going to work, but it does mean technically the company could be looking at your bank log-in credentials.
|
||
|
|
You know, what about the government? You know, you can make the argument that we're not evil like Communist China.
|
||
|
|
I've never entirely bought that argument. There are differences, but...
|
||
|
|
You know, one of the things we want to be careful here, not to get the wrong conclusion out of all of this.
|
||
|
|
I think it would be wrong to simply say, oh, it's hopeless.
|
||
|
|
And no such thing as security. I would say we should understand where the weaknesses are.
|
||
|
|
And I will go back to Bruce Schneier, who says, define the threat you are concerned with, and then look into countermeasures that are suitable to that threat.
|
||
|
|
If the NSA is after me, I've got much bigger problems.
|
||
|
|
This computer security stuff means nothing.
|
||
|
|
If they're after me in particular, does that mean there's no possible way you can protect yourself against the NSA?
|
||
|
|
I don't know, so far Edward Snowden has done a pretty good job of it.
|
||
|
|
If I was in that situation, I would study him like a rabbi study scripture.
|
||
|
|
So when I did my presentation on passwords, for instance, I said, look, if you are trying to keep the FBI out of your email, that's one thing.
|
||
|
|
That doesn't happen to be a threat that I lose any sleepover.
|
||
|
|
I defined the threat I was concerned with as there are people out there who hack into target point of sale and come away with five million credit card numbers.
|
||
|
|
And I want to make sure mine is one of the harder ones for them to use.
|
||
|
|
That's the threat and that's how I'm approaching it.
|
||
|
|
And that turns out that that's a relatively easy thing to do if you think about it the right way.
|
||
|
|
And decrypting is not the only thing they're concerned with.
|
||
|
|
If you paid attention to the things that started coming out in the Snowden documents, a lot of it had to do with installing keyloggers and physical access to computers and stuff like that.
|
||
|
|
So one of the things, if your browser has this certificate information, keep your browser updated.
|
||
|
|
Now that's not the only security reason you'd want to keep your browser updated.
|
||
|
|
I remember in a previous presentation, I started off by comparing what were the top concerns of average people versus the top concerns of security professionals.
|
||
|
|
And security professionals is like update your software.
|
||
|
|
You stupid, update your software and get the patches.
|
||
|
|
So get your patches.
|
||
|
|
Keep up to date.
|
||
|
|
That will not only take care of revoked certificates, but other things that they discover along the way that our security holes, they will patch them.
|
||
|
|
Yes, you can.
|
||
|
|
You probably want to experiment a little bit because what happens is at some point you disable enough of those and you're going to hit some website that suddenly is going to set off all these alarm bells because you disabled the root authority.
|
||
|
|
And it's hard to know who their root authority is in all those cases.
|
||
|
|
There we were talking about no script, you know.
|
||
|
|
If you put in no script and turn off all Java scripting, yeah, it will improve your security immensely except that the web is scarcely worth going to anymore.
|
||
|
|
Everything's good.
|
||
|
|
My own sites have javascript on them.
|
||
|
|
So certificate revocation.
|
||
|
|
If a certificate is bad, it should be revoked.
|
||
|
|
So those digginotar certs, those Indian government certs, et cetera, should revoke them.
|
||
|
|
Now Firefox handles revocation quite well.
|
||
|
|
Technically, it's not a difficult sort of thing.
|
||
|
|
Someone revokes the certificate.
|
||
|
|
You have a list of revoked certificates. You check that list.
|
||
|
|
If you get a match, sorry, that certificate's been revoked.
|
||
|
|
Chrome refuses to.
|
||
|
|
I mean, the people in charge of security for the Chrome browser basically said,
|
||
|
|
we don't think it scales. We're not going to do it.
|
||
|
|
Which I think is really stupid, but then again, I'm not in charge of Chrome security.
|
||
|
|
So you can take that however you wish.
|
||
|
|
That was the whole thing at the heart of the heart bleed was a certificate issue.
|
||
|
|
I will say my general impression is that Firefox just does security a lot better than Chrome does.
|
||
|
|
So if security is a thing, I'm just going to say that's where I would go.
|
||
|
|
There's some good add-ons.
|
||
|
|
Many of these are available for more than one browser.
|
||
|
|
So one of the convergence warns you if the certificate you see is not what others see.
|
||
|
|
And you can read about that here.
|
||
|
|
Well, if it comes from EFF, I probably do.
|
||
|
|
Yeah, I mean, at a certain point, this starts looking like a John Likaree novel.
|
||
|
|
No one can be trusted anywhere.
|
||
|
|
Yeah, you got to decide. So generally speaking, if it's from Electronic Frontier Foundation,
|
||
|
|
I'm probably going to trust it.
|
||
|
|
If it's something I hear security professionals advising, like no script, a number of security professionals.
|
||
|
|
If it's something I hear on Facebook, I probably am not going to trust it.
|
||
|
|
Because I know who I connect to on Facebook. They're not all that smart.
|
||
|
|
So this one, the convergence, is sort of almost like the web of trust in a certain way.
|
||
|
|
Basically, what they're doing is they're collecting data on the cert.
|
||
|
|
And so, you know, I might say, well, I got a cert from this site that looked like this.
|
||
|
|
And then, well, Mike got a cert from that site that looked different.
|
||
|
|
One of these is probably bad, a man in the middle kind of thing.
|
||
|
|
So that's what convergence is trying to do.
|
||
|
|
Certificate patrol is an add-in that just says the cert has been updated.
|
||
|
|
Just let you know. You know, you're using an older version of the cert.
|
||
|
|
Why was it updated? I don't know. Maybe it was just because the old one ran out and was time to renew the cert.
|
||
|
|
But you know, the one that you have is not the latest one on their database.
|
||
|
|
One on our database is newer.
|
||
|
|
One thing, if what you're talking about is creating a secure connection to a server,
|
||
|
|
now this won't work in every case.
|
||
|
|
But in a number of cases, what you can do is get two factor authentication.
|
||
|
|
That's a really good layer of security.
|
||
|
|
It adds a little bit of a speed bump along the way.
|
||
|
|
So for instance, well, it's where the security comes from.
|
||
|
|
So Gmail. I've got a Gmail account.
|
||
|
|
Several of them, in fact.
|
||
|
|
And if I sit down at a computer and I have not with this computer logged into Gmail before,
|
||
|
|
because it stores a cookie on your hard drive.
|
||
|
|
I'm over at Mike's house, and hey, I just want to check my email, Mike.
|
||
|
|
You know, okay, if I log into Gmail, I'm fine.
|
||
|
|
Well, what would happen is I would try to log in, and then I would get a thing on my phone saying,
|
||
|
|
this is the code you need to type in before we're going to give you access.
|
||
|
|
And since that's only going to be on my phone, anyone else who tries to log into my Gmail account won't get there.
|
||
|
|
Another thing I have several websites, different domains, WordPress.
|
||
|
|
Well, Duo Security has an add-in to do two factor authentication for that.
|
||
|
|
So if I try and do an administrative login to update my site again,
|
||
|
|
I'm going to get something on my phone saying, hey, I mentioned I use last pass.
|
||
|
|
I've got two factor authentication on last pass.
|
||
|
|
If I try to open up my password vault, the first thing that happens is I get a thing on the phone saying,
|
||
|
|
okay, is this allowable?
|
||
|
|
So I love two factor authentication.
|
||
|
|
You know what it would tell me though?
|
||
|
|
If I say I was trying to log in a Gmail and someone was doing a man in the middle,
|
||
|
|
remember what they have to do in the middle is they have to log in a Gmail.
|
||
|
|
And that would be a computer that has not logged into my account before.
|
||
|
|
So I would get something on my phone.
|
||
|
|
No, it's a cookie on the hard drive of the computer they're looking for.
|
||
|
|
I mean, there would be occasions where that would...
|
||
|
|
A couple of months I get something that keeps me alerted that, oh yeah, that's right.
|
||
|
|
So what I found in practice is that with Gmail, the cookie is there,
|
||
|
|
and from then on I can connect on that computer.
|
||
|
|
With WordPress, the administrative login to my sites, that persists until I reboot.
|
||
|
|
So I only have to log in once on a session, but as soon as I reboot,
|
||
|
|
I have to reauthenticate.
|
||
|
|
And that's why I think when I was talking about passwords,
|
||
|
|
I mentioned having a password written down and stuck in your wallet,
|
||
|
|
maybe a perfectly reasonable thing to do, depending on what the threat is that you're concerned with.
|
||
|
|
Ubike?
|
||
|
|
That's also great.
|
||
|
|
Ubike would be one more thing for me to be carrying around.
|
||
|
|
I'm already carrying my phone around anyway.
|
||
|
|
So that's why for me, the two-factor using the telephone makes the most sense,
|
||
|
|
because that's the one thing I will probably most likely have with me at all times.
|
||
|
|
Yeah, with the Ubike, you know, that's a USB plug-in,
|
||
|
|
which is fine on most computers, but I don't have that kind of USB port on my tablet.
|
||
|
|
I don't have that online selling it, but it's...
|
||
|
|
You know, Ubikes are wonderful.
|
||
|
|
I've actually got one, but it's just rather a lot for a short-range connection.
|
||
|
|
So there's a good article here at EFF.
|
||
|
|
If you want some more information, how to protect yourself.
|
||
|
|
Now, what about the system?
|
||
|
|
The early model is fundamentally broken.
|
||
|
|
We need to rely less on trust and more on provable security,
|
||
|
|
and all of those different certificate authorities getting hacked and bad certs being issued and everything else.
|
||
|
|
Okay, this is not the way to do things.
|
||
|
|
It is, however, what we have and the tyranny of the default.
|
||
|
|
So Google, as I said, refuses to implement certificate revocations,
|
||
|
|
but has offered something called certificate transparency,
|
||
|
|
and that is they put out a public log of all the certificates,
|
||
|
|
and invite anyone to take a look.
|
||
|
|
There's a lot of certificates.
|
||
|
|
You would want to have a computerized way of checking this list.
|
||
|
|
This is essentially giving everyone else the opportunity to do what Google already does,
|
||
|
|
is looking all over the internet and who is better placed than Google to do this,
|
||
|
|
for anyone claiming to be Google that isn't Google.
|
||
|
|
So they see those certs.
|
||
|
|
So if they put that out there, it's like, oh, okay.
|
||
|
|
And add a timestamp, and then it's up to you.
|
||
|
|
I'm the owner of a certificate.
|
||
|
|
I want to make sure that no one else is trying to pass themselves off as me.
|
||
|
|
Well, I could go to this list and scan through, but that's kind of my problem.
|
||
|
|
Exactly, but you're relying on each individual cert owner to go out and do this.
|
||
|
|
Let's say it's not a good thing for a browser.
|
||
|
|
It's a nice thing for a site owner.
|
||
|
|
I'd rather have it than not have it.
|
||
|
|
But I would think of it as at best a 90-10 solution.
|
||
|
|
It may get you 90% of what you need, but it's not 100%.
|
||
|
|
Now, another approach to improving this, TLS extensions.
|
||
|
|
SSL certificates are part of the larger transport layer security protocol.
|
||
|
|
It is possible to start adding things through extensions to the TLS new encryption methods.
|
||
|
|
So, the elliptical curve just is so efficient that it really seems like that is destined to at least over the intermediate term take over encryption.
|
||
|
|
Now, what's going to happen down the road?
|
||
|
|
I didn't say anything was 100% guaranteed perfect.
|
||
|
|
The thing with security.
|
||
|
|
You know, it's like the FBI says,
|
||
|
|
Crooks have to get it right 100% at the time.
|
||
|
|
We only need them to screw up once.
|
||
|
|
We can fix it, yes.
|
||
|
|
It is possible to screw up any encryption algorithm.
|
||
|
|
We know, for instance, that with elliptical curve, it is pretty clear that the NSA got involved when this was first promulgated by an IST.
|
||
|
|
It stuck in a particular implementation of this.
|
||
|
|
At the time people were saying,
|
||
|
|
Huh?
|
||
|
|
Why is this the default recommendation when it's not nearly as efficient as all of these?
|
||
|
|
But NSA was able to kind of push that through and no one squawked enough until I think really after Ed Snowden,
|
||
|
|
everyone kind of went back and said, wait a minute.
|
||
|
|
What was going on back there?
|
||
|
|
From everything I've seen, elliptic curve encryption itself is good.
|
||
|
|
Now, maybe there's something I haven't seen that would change my mind.
|
||
|
|
Yeah, I read his blog.
|
||
|
|
And the thing is, yeah, it is an arms race.
|
||
|
|
A couple of years ago, what I was hearing from a lot of people was,
|
||
|
|
oh, it doesn't matter because quantum computers are going to come along and it's going to break everything, which is half-right.
|
||
|
|
But as I recall, at the time I was saying what that means they'll come up with quantum encryption.
|
||
|
|
And I'm already seeing that being reported in the security area.
|
||
|
|
They're starting to come up with quantum computer approaches to end-crypting.
|
||
|
|
So whatever, we have a mechanism in place through TLS extensions that say, you know, as periodically happens,
|
||
|
|
you know, this algorithm is no longer sufficiently strong.
|
||
|
|
Let's drop it. Oh, we've got something else. It's a lot better. Let's put that one in.
|
||
|
|
Now, OCSP, online certificate status protocol, what this is is basically, I get a cert from a website.
|
||
|
|
And it's like, huh. How do I know this any good?
|
||
|
|
Well, it was signed by a certificate authority. I go to the certificate authority and say, is this still good?
|
||
|
|
The certificate authority can come back and say, yeah, yeah, still fine.
|
||
|
|
Now, that would still be vulnerable to a man in the middle. It's not the ultimate answer.
|
||
|
|
But it does indicate one of the ways that we can go with this, which is to say, let's, let's, I don't know if they're talking about stapling or a different approach.
|
||
|
|
But this was the next thing. Certificate, the certificate owner gets a verification from the certificate authority and staples it to the certificate.
|
||
|
|
And then tells your browser, you must look for this. And if it's not found, they should then query the CA directly.
|
||
|
|
And as long as the certificate authority has not been compromised, that probably works, but it probably is not safe against the NSA.
|
||
|
|
But again, define what it is you're trying to protect yourself against. This does at least increase the level of security around the certificate process.
|
||
|
|
So in summary, search used standard cryptography methods. Problems are not with the cryptography. Maths does still work.
|
||
|
|
But there are problems with the processes. And just relying on trust is not a good way to go.
|
||
|
|
Well, that wraps it up. And I hope you enjoyed everything. This is Ahuka. I had a great, great time doing this. It was fun giving the talk. And I enjoyed being able to share it with my friends on Hacker Public Radio.
|
||
|
|
As always, I want to remind you to support FreeSoftware. Bye-bye.
|
||
|
|
You've been listening to Hacker Public Radio at Hacker Public Radio.org. We are a community podcast network that releases shows every weekday, Monday through Friday.
|
||
|
|
Today's show, like all our shows, was contributed by an HPR listener like yourself. If you ever thought of recording a podcast, then click on our contributing to find out how easy it really is.
|
||
|
|
Hacker Public Radio was founded by the Digital Dove Pound and the Infonomicom Computer Club, and is part of the binary revolution at binwreff.com.
|
||
|
|
If you have comments on today's show, please email the host directly, leave a comment on the website or record a follow-up episode yourself.
|
||
|
|
Unless otherwise status, today's show is released on the Creative Commons, Attribution, Share a Life, 3.0 license.
|
||
|
|
Thanks for watching.
|