SSL Certificate Alternatives: Convergence, Perspectives, Observatory, worthwhile?

Discussion in 'privacy technology' started by cb474, Oct 14, 2013.

Thread Status:
Not open for further replies.
  1. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Most of the threads at Wilders I see about alternative SSL certificate methods, through plugins like Convergence and Perspectives, as well as the EFF's Observatory project, seem a little old.

    Has interest in these projects waned? What experiences have people had with them? Any opinions about one being better than the other?

    Also, it's unclear to me whether they can be used together, two at a time or even all three of them. Would that not work? Be complete overkill?

    Thanks for thoughts and responses.
     
  2. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    I'm still wondering what people think about these projects for checking SSL certificates. In the wake of the heartbleed bug would they be a good idea? My understanding is that browsers don't do such a good job of keeping track of whether or not certificates have been revoked. Would any of these plugins help?
     
  3. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Convergence is indeed a little old and it is different from the others. It totally replaces the CA system, which means your browser only sees a Convergence certificate so it doesn't work with other solutions.
    Perspectives latest version is from February: https://addons.mozilla.org/nl/firefox/addon/perspectives It checks certificates and compares against other servers to see if they see the same certificates. You can tweak when it gives warnings.
    EFF's Observatory is included in HTTPS Everywhere(not for every browser, perhaps only Firefox) so it's still updated regularly. There are a few options, but it isn't really clear when it decides to warn.

    There is also Certificate Patrol for Firefox. Unlike the others it doesn't send/receive any data, but it remembers used certificates and warns users when they are changed.

    So, it seems there is not much for other browsers :(

    EDIT: Oh and if you use IE, there's the Certificate Pinning feature from EMET.
     
    Last edited: Apr 16, 2014
  4. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Thanks for the thoughts. Do you think any of those (Perspectives, Observatory, or Certificate Patrol) is worthwhile and provides any real increased security? I can't tell if they are all really just a nice idea that isn't go to work well, because they won't get the mass adoption necessary for that.

    As far as other browsers go, I wonder if some of the virus/malware software these days has this sort of certificate checking built into their security suites?
     
  5. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Perspectives and the Observatory probably need high adoption for becoming really good, but they still might warn you about a Man in the Middle attack.
    Because Certificate Patrol is different you don't have that problem, but it can only warn about new certificates it doesn't know, not if they are bad or not, the user has to decide that.(Though it has different warnings for different scenario's. Was the old cert about to expire? Is it issued by the same or another CA?)
    Afaik not.
    They look if a scanned file has a certificate for heuristic detection and software like HIPS usually has options to trust signed files to reduce pop-ups, but that's it.
    I would be surprised if most of them even check if the certificate is valid in these scenario's.
     
  6. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Okay, thanks for the thoughts.
     
  7. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The last time I used Perspectives (a few months ago) it had only a few active network notaries.
     
  8. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Yes, same here, they aren't always online, somtimes only 2.
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  10. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Thanks for the article MrBrian.
     
Loading...
Thread Status:
Not open for further replies.