SSL certificate safety bolstered by standards that lessen dependence on CAs

JMH

Emeritus, Contributor
Joined
Apr 2, 2012
Posts
7,197
2011 was a bad year for certificate authorities (CAs) and the privacy of internet users as multiple successful attacks against CAs resulted in a reduction in confidence of the basic structure of trust that SSL/TLS depend on.

Last summer Moxie Marlinspike proposed a new system called Convergence that puts the decision about who to trust in the hands of users. There are some technical challenges with Marlinspike's approach and to date not many people have embraced the technology.

Within the last 6 months, two new proposals have come forward that look to make a more gradual, compatible transition away from the current model possible.

One proposed by Google engineers is called Public Key Pinning Extension for HTTP, while another similar idea backed by Marlinspike and Trevor Perrin is called Trust Assertions for Certificate Keys (TACK).
http://nakedsecurity.sophos.com/201...Feed:+nakedsecurity+(Naked+Security+-+Sophos)
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top