Wednesday, January 11, 2017

Some more manipulations with the cat's fur

As I wrote a number of times, PKI's reliance on Certificate Authorities, which could possibly work 30 years ago when it was originally invented, doesn't perform well now, when the number of CAs has grown significantly, and it has become possible for a wide range of shady entities, both governmental and private, to become CAs or to issue CA certificates and make them trusted on customer computers. This includes hardware vendors (remember Superfish issue), antivirus software (check Kaspersky's root certificate issues), corporate proxies and more.

There's a need to check in some way, that the certificates presented during the connection, are the ones that the original server intended to send. It turns out that there's no standard way to do this, and the browser vendors are not looking for efficient ways to address the problem either. There's a great article on Computerworld, which lists some of the possible solutions for the problem, with descriptions and references. It contains a couple of simple yet easy to implement approaches, which beg for putting them into RFCs and similar standards. Instead, Google goes for implementing hard-to-enforce and hard-to-use approaches like Certificate Transparency Initiative. My vote goes to Certificate Validation Framework. Also, you can choose your favorite approach :).