Description
|
Certificate authorities suck, but the proposed replacements (e.g. DNSSEC/DANE) aren't so great either. We think Namecoin can help here, and the code is working and released!
|
Website(s)
|
|
Type
|
Talk
|
Kids session
|
No
|
Keyword(s)
|
software, hacking, security
|
Tags
|
TLS, Namecoin, Cryptocurrency
|
Processing assembly
|
Assembly:Monero Assembly
|
Person organizing
|
User:JeremyRand
|
Language
|
en - English en - English
|
Related to
|
Projects:Namecoin
|
Other sessions...
|
Certificate authorities (CA's) pose a serious threat to the TLS ecosystem. Unfortunately, the various proposed solutions (e.g. Convergence, DANE, HPKP, CAA, and CT) do not solve the underlying problem: the existence of trusted parties in the process of converting a domain name to a certificate acceptance policy. While it may be an improvement to reshuffle the trusted parties to have more trust agility (Convergence), a smaller set of fully trusted parties (DANE), a more limited window of opportunity for attackers (HPKP and CT) or more accountability after-the-fact (HPKP, CAA, and CT), we think it's time to solve the underlying problem. Namecoin introduces the ability to do exactly that: if you know a Namecoin domain name, you can find out which TLS certificates are valid for it, with a threat model and codebase nearly identical to the battle-hardened Bitcoin. In addition, we figured out how to make this work in the real world of uncooperative web browsers: Namecoin TLS certificate validation works with Chromium on Windows, without the high attack surface of intercepting proxies or the cookie leakage of browser extension API's.