← Back to context

Comment by tatterdemalion

11 years ago

I don't see how this actually keeps the CA PKI from being a scam. While I personally trust the EFF & Mozilla right now, as long as I can't meaningfully revoke that trust, it's not really trust and the system is still broken.

10 comments

tatterdemalion

Reply
mike_hearn  11 years ago

You can revoke your trust in any CA at any time, you don't even need to see any errors! Just click the little padlock each time you visit a secure website and see if the CA is in your good books. If it's not, pretend the padlock isn't there!

OK, that's a little awkward. A browser extension could automate this. But in practice, nobody wants to do this, because hardly anyone has opinions on particular CAs. It's a sort of meta-opinion - some people feel strongly they should be able to feel strongly about CAs, but hardly anyone actually does. So nobody uses such browser extensions.

  • desdiv  11 years ago

    Can't you just delete the CA from the browser?

    On Firefox it's preferences -> advanced -> certificates -> view certificates.

    • tatterdemalion  11 years ago

      Yes you can. Obviously, you can choose not to make secure connections with sites certified by a CA you don't trust. But then you just can't use your bank's website anymore, or your search engine, or whatever.

      Users have a clear stake in whatever informational exchange occurs between them and the websites we access. We should have the authority to participate in determining the terms on which that exchange is secured.

    • technomancy  11 years ago

      I'm curious as to whether Firefox's sync functionality propagates CA overrides across machines. If not then this is something you'd have to repeat over for every machine you use, making it effectively too tedious to be practical.

      1 reply →

  • eric_bullington  11 years ago

    >A browser extension could automate this.

    Unfortunately, it couldn't on Chrome, because you can't even access a page's certificate from an extension in Chrome:

    http://stackoverflow.com/questions/18689724/get-fingerprint-...

    And Firefox's certificate API is not much better, only passive access without ability to block connections if you detect an unwanted cert.

    • handsomeransoms  11 years ago

      > And Firefox's certificate API is not much better, only passive access without ability to block connections if you detect an unwanted cert.

      Nope. Firefox's Addon API lets you do pretty much whatever you want. It might be kind of hard and annoying, but you can certainly block connections that are signed by an untrusted CA. How do you think Convergence [0] worked?

      [0] http://convergence.io/

      2 replies →

  • pwnna  11 years ago

    Can't you just remove the cert from your OS/browser's trust store? I can do this on Ubuntu + Firefox.

    Incidentally, I can also add my own CA.