[messaging] Google End-to-End plans on using key directories with a CT-like verification protocol
Tao Effect
contact at taoeffect.com
Fri Aug 29 11:49:01 PDT 2014
On Aug 29, 2014, at 10:30 AM, Watson Ladd <watsonbladd at gmail.com> wrote:
> On Fri, Aug 29, 2014 at 10:17 AM, Tao Effect <contact at taoeffect.com> wrote:
>> I had checked the website the day prior to those tweets. Cert change
>> appeared a day later. That is why I was (and am still) convinced that it was
>> a MITM attack.
>
> Where the website owner confirmed that the new cert was correct?
Yes, see the tweets. It was an example of a revoked certificate being used in place of the new one (possibly compromised because of HeartBleed). Neither Chrome nor Firefox can reliably check to see if a certificate is revoked.
> The basic problem is that the only individual who knows what keys
> should be associated with them, is the individual who owns the private
> keys. And so you need to have a consistent, global view of that map,
> which can get occasionally updated and have them check the correctness
> of this map.
Yes, such a mapping is called "The Blockchain". :-)
DNSChain makes that mapping accessible to all devices (without needing to run a node or store the blockchain locally):
https://github.com/okTurtles/dnschain
Kind regards,
Greg Slepak
--
Please do not email me anything that you are not comfortable also sharing with the NSA.
>
>>
>> This event serves as a real-world example of the community's reaction to
>> MITM attacks. It highlights extreme skepticism and apathy in spite of clear
>> evidence of a MITM attack.
>>
>> Only major CA compromises that have affected giant companies (like Google)
>> get press.
>>
>> This example shows that people on this list could be MITM attacked right
>> now, and in the unlikely event that they detected it, it may not matter
>> much. That is why I prefer systems that prevent MITM attacks from happening
>> in the first place, and without any ambiguity.
>
> What's the difference between the key associated to
> watsonbladd at gmail.com changing because I forgot a passphrase and
> changing because it's been MITM'd? If you want to make addresses keys,
> then you introduce a different set of problems, where the address
> associated to an individual is changed.
>
> The basic problem is that the only individual who knows what keys
> should be associated with them, is the individual who owns the private
> keys. And so you need to have a consistent, global view of that map,
> which can get occasionally updated and have them check the correctness
> of this map.
>
> Sincerely,
> Watson Ladd
>
>>
>> Cheers,
>> Greg Slepak
>>
>> --
>> Please do not email me anything that you are not comfortable also sharing
>> with the NSA.
>>
>>
>>
>> _______________________________________________
>> Messaging mailing list
>> Messaging at moderncrypto.org
>> https://moderncrypto.org/mailman/listinfo/messaging
>>
>
>
>
> --
> "Those who would give up Essential Liberty to purchase a little
> Temporary Safety deserve neither Liberty nor Safety."
> -- Benjamin Franklin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140829/b8502917/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://moderncrypto.org/mail-archive/messaging/attachments/20140829/b8502917/attachment.sig>
More information about the Messaging
mailing list