[fugue88]

We could use GPG for normal e-mail correspondence. But I really don't know if this would do anything more than delay any problems.

In a similar vein, I've deleted all the trusted root CA certs from my computer, and am now marking individual certs trusted as I hit them. Not fail-safe, but safer, I think.

[mhb]

I don't understand what you're doing. When you get an individual cert, are you adding another trusted authority to verify that cert? If you're just trusting the individual cert, you're exposed to MITM.

[fugue88]

Yes, you're exposed to MITM. But if you permantly mark the cert as trusted, and the MITM goes away, you'll know somethings has changed. You'll be blind as to which way things changed, but at least you'll know to investigate.

[HelloBeautiful]

Haha, this doesn't make any sense. How can you possibly know the real cert from the one generated by NSA?

[fugue88]

Great question! Unfortunately, I don't think you can.

If you use CA certs to trust site certs, the site certs can change on the fly (i.e. be replaced with an NSA interloper) without you knowing.

If you kill your CA certs, and mark individual sites trusted, than at least your browser will notify you if the site's cert has changed since you lasted trusted it. Theoretically. I haven't actually tested this yet. :(

[kronusaturn]

Call them on the phone and ask them to read you their cert fingerprint. Or use this: http://www.networknotary.org/firefox.html

[HelloBeautiful]

Phone lines are secure of course ...

[Mafana0]

>In a similar vein, I've deleted all the trusted root CA certs from my computer, and am now marking individual certs trusted as I hit them. Not fail-safe, but safer, I think.

Excuse my ignorance, could you tell why it's useful to remove the certs from a PC. I've heard about root certs a couple of times already but don't understand what they really are.

[asharp]

Basically if you see a certificate on the interwebs, it goes through and says:

"This particular website is X". And it can back this up with all sorts of fancy math.

The problem then, is how do you know that the particular certificate is correct? I can go through and make a certificate saying that i'm santa clause. How you get around that is by using another certificate that you already have, and using that to certify the websites certificate. Ie. if you trust godaddy (or the hong kong post office), and I have a certificate saying that i'm me, signed by godaddy, then you can trust that i'm me.

The collection of certificates that you trust are then called the "root ca", and having random certificates there is a problem because if one of them was to produce a forged certificate, you'd never know about it. ie. by adding in untrusted certificates to your root ca, you lose trust in the whole certificate chain of trust process.

[Mafana0]

Thanks for the explanation. After taking a look at the certificates that come with Windows, I can see that there are dozens of trusted root certificates, issued by some organizations that I've never heard of. Can I really trust those "root ca"? especially that I noticed some differences between the two PCs that I've checked!

[tonfa]

Usually the OS or browser vendor chose them, so it is normal that they differ between computers. But the CA trust chain really sucks, as one compromized CA compromizes everything (the security of the system relies on the security of the weakest root CA).