On 09/03/14 22:59, Raphael Wegmann wrote:
What about creating a distributed hash-table, where we could count collectively, which public-key has been used by a particular server how often? When I visit amazon.com and my browser tells me, that I am the only one who got that public-key I'm having, I know immediately, that I am not really communicating with Amazon.
If an MITM attack is pointing you at a fake Amazon, how are you going to ensure the same attacker isn't going to show you a fake hash-table? One possible answer is certificate pinning, but if you've used Amazon.com before, certificate pinning can warn you it's using a different key (and different CA) from last time without the table. https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning https://datatracker.ietf.org/doc/draft-ietf-websec-key-pinning/ https://www.imperialviolet.org/2011/05/04/pinning.html https://wiki.mozilla.org/Security/Features/CA_pinning_functionality http://tack.io/index.html is an alternative with similar aims. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
