A problem exist in any modern browser & mainly with the idiot behind the keyboard.
We are all humans! and trusting by nature !
Since most people don't understand SSL/TLS, muchness what a x.509 certificate does, they do stupid things that that put them at risk do to the trusty nature.
- How many times have we see a browser side error and click thru -it?
- Do we even know what those errors mean?
- Do we even bother to investigate it ?
for 7 out of 10 I would say no to all of the above questions
Most individuals in a IT environment have no clue and then we expect the end-user to understand it all.
In the big CentralAuthority aka CA pyramid, " we put a lot of trust in the CA , and Intermediates, and the server certificates ".
A client ( end-user ) that see a HTTPS as the URL protocol and assume they are 100% secured and protected but have little to no info to even determine if there's a MiTM or even if the site is really
that site.
We see this everyday with various phishing attacks and rogue sites that are populated across the internet.
The sovereign key concept should be taken more seriously and ridding site dependencies from a central Authority.
(
you can read more about the proposal )
https://git.eff.org/?p=sovereign-keys.git;a=blob_plain;f=sovereign-key-design.txt;hb=master
The goal w/sovereignkeys is to apply truth to the certificate via timeline, and new key concept append for the certificate validation.
Take my day job, they are running internal users thru a proxy and the end-users has no clue that a "proxy" and the certificate is really not the "real site" , but again they see the http lock icon and think all is good and they are 100% safe.
With sovereign keys, every web HTTPS proxy would be broken . Since we can have hundreds of CAs any one could be trusted by the end-user ( the browser ) , any could forge a certificate and the end-user would not be any wiser that the site is really not
that site .
We need a means for validating the website certificate and for just that site. With sovereign key we can really validate the site we are connecting with , and break the dependency of just trusting the CA and the certificate presented by the website.
Just food for thought when your on a foreign-network and think your connecting to that site . Remember some one somewhere could be peeking.
Ken Felix
NSE ( network security expert) and Route/Switching Engineerkfelix -----a----t---- socpuppets ---dot---com ^ ^=( @ @ )= o / \