[glass-]

Convergence was the perfect replacement, but it never gained any traction.

Moxie's talk at BlackHat[0] introducing it is a good watch for those unfamiliar with the idea, and if you want to be wistfully frustrated at what could have been.

[0] http://www.youtube.com/watch?v=Z7Wl2FW2TcA

[acdha]

We still don't know how that would have worked in practice. Even skilled people have trouble making trust decisions reliably for everything and while we'd avoid the compromised CA threat I'm certain we'd start seeing equivalents like dishonest or incompetent notaries – and those might last longer because fewer people see the dodgy results since not everyone is using the same set of notaries.

If it became popular, it's really easy to imagine something like the Great Firewall being configured to block outside notaries to encourage people to use local notaries which are still under the control of the local authorities.

That's not to say it's not interesting work or potentially a solid improvement, only that I would be extremely hesitant to make absolute statements about an untested internet-scale security protocol. The approaches we're seeing work now do so because they're adding to well-understood protocols (e.g. HSTS, key-pinning, etc.) or don't change the trust model (if Google goes rogue, Chrome users are already screwed).

[glass-]

I have no doubt that there would be incompetent or dishonest notaries. The difference being that in an alternative universe, where Convergence is used, a rogue notary doesn't destroy the trust of the entire system. When Symantec is a rogue notary, oh well, Mozilla and Google push out an update and no one uses Symantec anymore, their notary just becomes irrelevant. However, in this reality, the darkest timeline, deciding to stop trusting Symantec immediately breaks 30% of HTTPS websites on the internet, so even though Symantec has given everyone plenty of reasons to stop trusting them, we have no choice. Same for Comodo, their notary would have stopped being used in 2011 (after their root certificate compromise).

Instead, with Comodo and Symantec combined, we now have over 60% of HTTPS websites secured by authorities who are incompetent and/or dishonest.

[itistoday2]

> Convergence was the perfect replacement, but it never gained any traction.

It's really not.

https://github.com/okTurtles/dnschain/blob/master/docs/Compa...

[glass-]

That sounds like it was written by someone who doesn't completely understand Convergence, and also has an alternative agenda (they want their own solution adopted).

> It is not very user friendly. Users are asked to manage a list of notaries. This list of notaries is stored locally on the computer, or even the browser. Managing this list is not feasible for most users.

Browsers can replace the CA root certs with a notary list and pick notaries at random from the list. This is not a problem like with CAs as multiple notaries have to collude to form a consensus (you only need one rogue CA), and rogue notaries can be removed on a whim, unlike CA roots which are indentured (removing a CA breaks any site that uses it).

> It's not clear how well it protects (or can protect) if some notaries haven't yet cached the latest SSL certificate for a particular website.

This doesn't matter at all. The notary looks the cert, checks the signature and tells you if it matched what you're seeing.

> It does not provide MITM protection on first visit.

Yes it does. If your connection is MITM'd the notaries won't match your perspective.

> Waiting for group consensus means all connections have higher latency (slower page loads).

Only the first visit, before the notaries confirm the certificate signature you're seeing, and then you cache it and only need to check it again if it changes.

> Both Convergence and Perspectives (see below) results in you sharing every website you visit with random third-parties.

Bounce notaries exist for this reason.

> With DNSChain, if privacy is a concern, you can run your own server and only rely on it

Same with Convergence.

[itistoday2]

Thank you glass-! The information you've provided here I did not find in the Convergence documentation. I've updated the document to be accurate with your reply and added a new, rather significant critique that I somehow missed the first time around. Please feel free to re-review:

> It does not protect you if the MITM is sitting in front of the server you are visiting. Notaries would see exactly the same key that you see (the one that belongs to the MITM).