Hacker News new | past | comments | ask | show | jobs | submit login

Shouldn't it be possible to detect when this is happening, and who's issuing the certificates? We need a plugin that snarfs the certificates as they hit your browser, and a web service to log them to (send the SHA256 of the cert, and if it's not already there, send the complete contents of the cert).

I'm game if someone else is.




http://www.cs.cmu.edu/~perspectives/firefox.html


A nice idea. But isn't the path from you->notaries still vulnerable to man-in-the-middle attacks? You would have to use CA authentication to verify the "notaries" you are talking to aren't fake.


It comes with a list of the notaries and their public keys. So, the only concern is if your initial download is MitM'ed.

http://www.cs.cmu.edu/~perspectives/notary_list.txt


Or the attacker could just block those servers and then spoof that file with new URLs and public keys.


Hard to spoof a file that you've already got a local copy of...


If you can't connect to the servers because the middleman blocked them, a user might assume that the servers were updated, and then proceed to use the spoofed file...


There you go!


As long as the response from the web service is signed, this could be a good solution to what I've always seen as a small vulnerability in SSL.


... assuming the web service itself is trustworthy, of course...




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: