Hello, After I watched Moxies talk about Convergence for the second time in my life:
https://www.youtube.com/watch?v=Z7Wl2FW2TcA http://convergence.io/details.html I just wondered... what is the pull back regarding Convergence to put it in the webbrowsers by default? Problems regarding Convergence from Slashdot: So I hijack the router that website is using to access the internet. I install some software on the router to return a fake cert. I see the fake cert. All of the other notaries see the fake cert. It this is popular site the notaries might notice a cert change, but if its a low volume site that the notaries never go to. We all agree the fake cert is valid. How is this more secure? Or I hack the router you use to access the internet... all of the notaries you try to talk to I redirect to me. I say every site is valid regardless if it is or not. How is this more secure? -->> Presumably because the CA would be running its own notary (or notary check), and thus is able to detect certificate variations? Any thoughts, opinions about the topic? Why couldn't Firefox have Convergence built-in to free us from the CA system? It's a very sad thing that Convergence isn't maintained nowadays... Have a nice day. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy