Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Couldn't you compare the fingerprints of a cert as accessed from a suspect network and from a trusted network?


Well yes, if you've got the same server and cert. Often the SSL frontend of big websites serve multiple certs so you'd have to have all of them to compare against.

Plugins like Convergence will verify who signed a cert for you, assuming the notaries aren't blocked by your corp proxy (and currently blocking any of them will kill the whole chain of trust, so it's not as useful as it seems).

In any case, your HTTP client having the right software and right root certs is the only way to know what is valid and what isn't. You could compare the fingerprint from your 3G phone's browser (or the issuers in the chain's fingerprints) to the cert from your PC's browser. Unless the phone is managed by your company too, in which case they can install the fake root cert there as well...

What's also kind of funny is it's easier to spoof a cert on a mobile phone than a PC. Phones can be updated over-the-air by the mobile provider while your PC has to give some kind of admin rights to your ISP. Since mobile devices are "the future of computing" this makes who controls the mobile device a scary proposition, especially in countries with oppressive regimes (or countries that like to shove internet legislation down your throat without asking).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: