Internet certificate system - time for a change?

Dashrender

Recently heard someone talking about the possible shift to something new (unknown what) to replace the current certificate infrastructure on the internet. Why? We'll let's talk about that.

Windows currently trusts something like 800+ certificate authorities. Undoubtedly some of those CAs are run by their governments. This means that those governments could mint certificates on the fly for any domain on the planet and be a MITM at the carrier level on the backbone of the internet.

Some of this is thrawted by other safeguards, but they are just a stop gap at best, and really only protect those that are controlling their browser - I'm talking about Google here. If you use Chrome, one of the protections you get is Chrome knows the ID of all valid Google Certificates. There have been reports of MITM attacks with forged certificates, and Chrome is informing Google and the user of the issue. But this doesn't help anyone using any other browser, or any other site while on Chrome.

Simply using the Public CA system is no longer reliably considered to be secure, IMO.

So, what do you think?

travisdh1

The system started breaking down when the number of trusted certificate providers started trending up. 800+ now? That's just crazy town. I can guarantee multiple providers have been breached at that point. Plus what @Dashrender already mentioned.

The big problem is going to be getting everyone to agree on a system to use. I'd also be willing to bet that it would become a bloated mess if any number of large corporations are involved.

Dashrender

@travisdh1 said in Internet certificate system - time for a change?:

The system started breaking down when the number of trusted certificate providers started trending up. 800+ now? That's just crazy town. I can guarantee multiple providers have been breached at that point. Plus what @Dashrender already mentioned.

It as bad enough at 50, then 300, but damn 800? WTF?

The sad thing is that so many see this as a way to make money. It would be awesome to see more free cert providers, but maybe not, maybe the one we have now is good enough. The whole EV cert thing - do users really care/check/know what it's about, etc?

The big problem is going to be getting everyone to agree on a system to use. I'd also be willing to bet that it would become a bloated mess if any number of large corporations are involved.

really? The big IT players getting involved seem to keep the options to fewer, not more. Like BluRay vs HD DVD, then eventually one will win.

But it's about getting a system that can't be easily, if at all, corrupted.

If Windows didn't auto reinstall all the damned certs, I'd get rid of most of them. Hell I'd get rid of Verisign - did you hear that they gave an intermediary to a carrier class device maker. Of course that maker claimed they never deployed it in their systems for carriers - yeah whatever!

travisdh1

@Dashrender said in Internet certificate system - time for a change?:

The big problem is going to be getting everyone to agree on a system to use. I'd also be willing to bet that it would become a bloated mess if any number of large corporations are involved.

really? The big IT players getting involved seem to keep the options to fewer, not more. Like BluRay vs HD DVD, then eventually one will win.

I wasn't talking about the number of options, I was thinking about the actual code.

coliver

Check out Block-chain certificates. It was proposed as a means of fixing some of these issues you are bringing up.

travisdh1

@coliver said in Internet certificate system - time for a change?:

Check out Block-chain certificates. It was proposed as a means of fixing some of these issues you are bringing up.

That's almost a workable idea. The big problem with bitcoin currently is the massive size of the block chain, if they could work around that, great!

Dashrender

@travisdh1 said in Internet certificate system - time for a change?:

@coliver said in Internet certificate system - time for a change?:

Check out Block-chain certificates. It was proposed as a means of fixing some of these issues you are bringing up.

That's almost a workable idea. The big problem with bitcoin currently is the massive size of the block chain, if they could work around that, great!

Doesn't that have a compression part where things kinda fall off, but can be verified as still valid without holding 100% of the data?

travisdh1

@Dashrender said in Internet certificate system - time for a change?:

@travisdh1 said in Internet certificate system - time for a change?:

@coliver said in Internet certificate system - time for a change?:

Check out Block-chain certificates. It was proposed as a means of fixing some of these issues you are bringing up.

That's almost a workable idea. The big problem with bitcoin currently is the massive size of the block chain, if they could work around that, great!

Doesn't that have a compression part where things kinda fall off, but can be verified as still valid without holding 100% of the data?

Not that I know of. Most people that just use bitcoin to save/spend don't need the block chain at all, the server for the storage end of it takes care of that. If you're mining, or keeping your own on a personal computer, then you need the entire thing.