[kwlug-disc] Blue Coat

[Hubert Chathi]

On Sat, 28 May 2016 15:11:39 -0400, Bob Jonkman <bjonkman at sobac.com> said:

> There are trusted CAs in the browser, and there are trusted CAs in the
> OS.  Untrusting one of these CAs works only until the next browser
> update or OS CA store update.

> I used to diligently untrust CAs like DigiNotar and Comodo, both of
> which have issued bogus certificates in the past. It's yet another
> game of computer whack-a-mole, they keep on popping up as fast as you
> can beat them down. I don't do that any more; now I just hold my
> breath and hope I don't get pwnd.

Site owners can somewhat mitigate the threat by using key pinning -- as
long as your first visit to the site is secure, during subsequent
visits, your browser will know which key/CA to expect.  It's kind of
scary to use it, though, because if you make a mistake then it means
that your site is inaccessible for a while, which is probably why it
isn't more widely used.

In theory, an extension such as Perspectives[1] could also help, by
comparing the certificate that your browser sees with what other servers
(called notaries) see.  However, the default set of notaries in
Perspectives in deficient; see the comments for suggestions on notaries
to use.  You can also run your own notary (though, of course, it only
works if your notary lives in a different area of the Internet than you
do).  It doesn't work very well, however, with some sites that use many
different certificates at once and/or who rotate their certificates very
frequently.

[1] https://addons.mozilla.org/en-US/firefox/addon/perspectives/