[SSL Observatory] SSL CA compromise in the wild

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Mar 23 10:49:03 PDT 2011


On 03/23/2011 01:33 PM, Steve Schultze wrote:
> I do wonder whether there has been any work on TOFU for SSL cert verification other than the existing Firefox plugins like Cert Patrol... of course cert rollover and accelerators probably make that hard to do well.  Maybe TOFU of the CA rather than the leaf would be viable.

TOFU of a CA sounds like a bad idea to me.

> Anyway, I stand by the first part of my email fwiw... SSH is just TOFU.

Unless you use OpenSSH's new self-designed certificates;

 or Roumen Petrov's X.509 patches [0]

 or the OpenPGP Web of Trust via Monkeysphere [1].

Monkeysphere also provides OpenPGP certification of https servers for
users of firefox. (i'm a contributor to the project)

But yes, i agree that common use of ssh (particularly with OpenSSH) is TOFU.

	--dkg

[0] http://www.roumenpetrov.info/openssh/
[1] http://web.monkeysphere.info/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20110323/58718a12/attachment.sig>


More information about the Observatory mailing list