Hacker News new | ask | show | jobs
by bsaul 4131 days ago
I could see another weaker but immediately implementable approach to just issueing a list of domain-root certificate maps that someone would have to manage :

Why couldn't browser issue a warning whenever the root CA for a known domain has changed compared to previous browsing sessions ? I suppose MITM attack are targeted and probably depends on the network you're using. If there's a difference between the root certificate for google.com when surfing with your laptop at home or from the office, then there's probably something wrong.

It's a bit similar to what ssh is doing with cert/ip associations.
2 comments
kijin 4131 days ago
That's what certificate pinning is for. And of course, Chrome already refuses to connect to Google if the certificate doesn't match what Chrome expects.

http://tools.ietf.org/html/draft-ietf-websec-key-pinning-12

link
itistoday2 4131 days ago
Pinning has a lot of problems. Copied from our Comparison [1] docs:

Both TACK and HPKP are mechanisms for doing public key pinning for individual websites.

These mechanisms are similar to how SSH uses a known_hosts file to store the fingerprints of public keys it encounters on a "Trust-On-First-Use" ("TOFU") basis.

The problem with these mechanisms is:

* They don't protect on first visit.

* They break websites when the public key needs to legitimately change.

* In the case of TACK, the TACK public key needs to change very frequently (at least every 30 days). This defeats the purpose of pinning, as a MITM does not need to wait long before they can present a fraudulent key that the user has no way to know is legitimate.

* These mechanisms assume that client software has its current time set properly, and they break when that's not true.

While DNSChain does use public key pinning, it doesn't have these problems because there is only one pin that is ever required: the pin to DNSChain itself, which is easily verified once only at setup.

[1] https://github.com/okTurtles/dnschain/blob/master/docs/Compa...

link
lawl 4131 days ago
If you use firefox, take a look at https://addons.mozilla.org/de/firefox/addon/certificate-patr...

Does exactly that.

link