[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Avoiding HTTPS pitfalls [was: Re: Moxie Marlinspike]



2009/2/24 coderman <coderman@xxxxxxxxx>:
> On Mon, Feb 23, 2009 at 12:04 PM, Fran Litterio <flitterio@xxxxxxxxx> wrote:
>> ...
>> This is ok, but I'd also like to be alerted when the certificate changes for
>> a site that I regularly visit.
>
> yes.
>
> Tyler's suggestion is a good one.  if you want the certs themselves
> authenticated you get to manage them yourself too.  remove all CA's by
> nuking libnssckbi.so and only add back those you've authenticated and
> trust.
>
> sadly, this is beyond the skills of most people. the PKI cartel lives
> another day... :P

Perspectives (http://www.cs.cmu.edu/~perspectives/) is another useful
tool.  You can change the quorum %, the length of time that quorum
must be acheived, and conditions under which Perspectives checks.
This isn't self-management, but does provide a additional certificate
check.

J