Comment by Karunamon
11 years ago
This is awesome! It looks like what CACert.org set out to be, except this time instead of developing the CA first and then seeking certification (which has been a problem due to the insanely expensive audit process), but the EFF got the vendors on board first and then started doing the nuts and bolts.
This is huge if it takes off. The CA PKI will no longer be a scam anymore!!
I'd trust the EFF/Mozilla over a random for profit "security corporation" like VeriSign any day of the week and twice on Sunday to be good stewards of the infrastructure.
I don't see how this actually keeps the CA PKI from being a scam. While I personally trust the EFF & Mozilla right now, as long as I can't meaningfully revoke that trust, it's not really trust and the system is still broken.
You can revoke your trust in any CA at any time, you don't even need to see any errors! Just click the little padlock each time you visit a secure website and see if the CA is in your good books. If it's not, pretend the padlock isn't there!
OK, that's a little awkward. A browser extension could automate this. But in practice, nobody wants to do this, because hardly anyone has opinions on particular CAs. It's a sort of meta-opinion - some people feel strongly they should be able to feel strongly about CAs, but hardly anyone actually does. So nobody uses such browser extensions.
Can't you just delete the CA from the browser?
On Firefox it's preferences -> advanced -> certificates -> view certificates.
3 replies →
>A browser extension could automate this.
Unfortunately, it couldn't on Chrome, because you can't even access a page's certificate from an extension in Chrome:
http://stackoverflow.com/questions/18689724/get-fingerprint-...
And Firefox's certificate API is not much better, only passive access without ability to block connections if you detect an unwanted cert.
3 replies →
Can't you just remove the cert from your OS/browser's trust store? I can do this on Ubuntu + Firefox.
Incidentally, I can also add my own CA.