Linked by Thom Holwerda on Mon 5th Sep 2011 22:26 UTC
Privacy, Security, Encryption So, people from within Iran have hacked the Dutch company DigiNotar, allowing them to issue fake certificates so they could listen in on Iranian dissidents and other organisation within Iran. This is a very simplified version of the story, since it's all quite complicated and I honestly don't even understand all of it. In any case, DigiNotar detected the intrusion July 19, but didn't really do anything with it until it all blew up in their face this past week. Now, the Dutch government has taken over operational management of DigiNotar... But as a Dutch citizen, that doesn't really fill me with confidence, because, well - whenever the Dutch government does anything even remotely related to IT technology, they mess it up. And mess it up bad.
Permalink for comment 488807
To read all comments associated with this story, please click here.
Alfman
Member since:
2011-01-28

Lennie,

Wow, how did you hear about convergence?

The convergence website is unfortunately void of details. However the youtube clip seems to tackle everything we've talked about here... great find! Definitely a very interesting approach, and I am very impressed overall - it's a great look at the CS theory to see what's possible.

He says you can configure notaries to verify the CA signatures cryptographically as normal, but I'm honestly not sure what this mode buys us. What difference does it make whether the CA cert is validated in my browser or on a trusted notary server?

The concept which I find most novel is the "perspective verification", which verifies that my notaries are seeing the same (unverified) SSL certificate as myself. If I am the target of a middle man attack where the SSL certs in my traffic are forged, then the discrepancy would be detected with my notaries.

Hypothetically though, it could be pretty easy for a backbone provider or a country like china to do a man-in-the-middle such that all the notaries I have access to are compromised in the same way. This problem does not exist today with CA SSL.

Reply Parent Score: 2