Moxie Marlinspike is encouraging browser developers to support an experimental project to shake up the security of website authentication by moving beyond blind faith in secure sockets layer (SSL) credentials. The Convergence open-source project is designed to address at least some of the main shortcomings that underpin trust in …
The situation is worse than CAs with conflicts of interest and hacked CAs: if a CA sets out to do bad stuff it can pretty much go ahead and do it. By the time the act is discovered and certificates revoked millions or billions may have been stolen or people locked up, tortured or dead (think bad govt. controlled CA).
Trustwave has just been caught with its pants down on this (http://www.h-online.com/security/news/item/Trustwave-issued-a-man-in-the-middle-certificate-1429982.html) but naturally they are claiming that they only did it with good in mind and nothing could possibly have gone wrong, but they say(!) they won't do it again anyway.
Yup, I'm reassured too!
any idea what product it was used in?
It had never occurred to me to get a certificate issued for *. I've generated internal certificates for *.internal.network and the work fine.
I wonder how much they charged for it and if they had to issue a refund.
Let me get this straight...
Let me get this straight Moxie, you are proposing we implement 3rd party validation for our 3rd party validation? There must be a better way!
Any certificate validation is completely buggered by my companies use of bloody Websense which performs a man in the middle attack on HTTPS traffic, although apparently not banking sites we are reassured.
An alternative solution: https://grepular.com/Solving_the_SSL_CA_Debacle_Using_Multi-Signed_Certs
We at the NSA
love this proposal and are willing to provide at least 50 Notaries forthwith. The Notary function will merge nicely with our Faux CA business.