The other day I saw this presentation about Convergence, it is a system designed to avoid using your browser's built-in CA (certificate authorities) for authenticating SSL certificates. Marlin talks about how the system is broken and how Comodo fails etc etc. Then goes on about various systems like certificates in DNS (I had a similar idea), but apparently they are vulnerable to DNS attacks..

Of course, I hate commercial CAs, they have no place on the Internet and have done nothing good for anyone, ever. (maybe a bit strong, but still). And of course browser vendors have sold their trust (and souls (if applicable)) to any CA available while still making you freak out when you reach a self signed certificate.. So of course I tried out Convergence, I even set up a notary (of course). After a couple of hours testing I came up with some pros and cons:

Pros

• Remove CAs from the equation

Cons

• Some sites do not seem to work, even Google (Citibank site effect, but for people outside the U.S.A. (yes, they exist)
• Slow. I have to connect to as many notaries as I have configured and compare data retrieved for each.. . slow.
• Problems with LAN sites, or sites protected by IP etc etc (sites that cannot be accessed by notaries)
• If the certificate is compromised and (hence) changed, you could be subject to hijacking as your convergence plugin will not re-query the notaries (unless you un-check the "use cache" option.. extra slow)
• DNS attacks are still possible, because most people will be using the default notaries anyway.. Which if this happens is worse then the average MITM as this would compromise ALL SSL connections !
• Crashes Firefox (but that is easily fixable I am sure)
• The "view certificate" function shows me "Convergence Local CA" and not the actual certificate of the website I am viewing, one has to go somewhere in the options to verify this.. this sucks.
• This is useless if the MITM is happening between the server and the Internet, actually, if everyone was using Convergence MITM attacks on a server's IP would now be easier to do, no need to trick Comodo into selling you certificate for someone else's domain.

As you can guess I stopped using this plugin about a few hours later. I also lost that sense of security when visiting my websites (webmail and all those things) as I have my own CA and/or know my certificates hashes, with Convergence I am lost.

I like the motivation behind Convergence (and Perspectives) but it simply appears to be totally broken. I could be missing something and would be glad to hear about it. After testing convergence I think that SSL without CAs using DNS is still a better option.

I also believe that as far as DNS poisoning goes, I do not understand why everyone doesn't have a local resolver, even and especially on laptops on the go.

More on Comodo as it seems that there was another attempt to generate more SSL certs. Very interesting is that COMODOHACKER explains him/her.self via the copy pasting site. Some interesting details were shared like: I hacked Comodo from InstantSSL.it, their CEO's e-mail address mfpenco@mfpenco.com Their Comodo username/password was: user: gtadmin password: globaltrust Their DB name was: globaltrust and instantsslcms You have to admit that with a password like that... . you can be sure they mean business. (and by that I mean none of my business).

Anyway, it has been confirmed that this person is indeed responsible (at least partially) for this nice demonstration by errata security.

I'll just say it again, when will we all agree that the business of signing SSL certificates is just a bunch of bullshit ?

We [should] all know that trusting third party SSL roots is bad, but if you are still not convinced then read how Comodo's SSL service was compromised. In short a reseller account was broken into and from there the attacker requested certificates for 7 domain names.

What this means is that certificates are issued without being verified. Whether it is the reseller or an attacker that is trying to generate certificates, they are not really verified, they are simply issued. Again, why do people trust ANY of these Certificate Authorities ?

Maybe time to think more about Monkeysphere and/or an SSL verified over DNS system.

Pidgin users with MSN accounts may have been experiencing problems connecting. It seems they have changed their certificate. The solution seems to be to manually delete the certificate, either by going to "Menu -> Tools -> Certificates" or by doing something like:

It seemed to work, but then the next day I had to do it again, I checked the certificates and found out the following:

The certificate that expired was valid from Tue Dec 1 22:45:11 2009 till Wed Dec 1 22:45:11 2010. The one I got the other day after moving this one is valid from Wed Jun 23 03:06:48 2010 till Thu Jun 23 03:06:48 2011, and after getting the same issue again and mv again the certificate I received a new one valid from Mon Nov 15 22:28:19 2010 till Wed Nov 14 22:28:19 2012.. .

I am going to guess there is an issue with their servers not using the same key every time, and I am going to guess that the official MSN client uses more than one certificate so it can switch from one to another depending on the server you connect to with giving the user any alert. .. .(yeah this does seem to not fit with the whole idea of the certificate.. . then again what do I know).. anyway, the three certs I got so far have these SHA1 fingerprints:

The one I originally had

f3:1f:2c:78:6a:8f:97:a6:8d:a8:c9:d4:0a:af:64:ae:63:57:88:17

The one I got a couple of days ago

c8:f3:b1:69:52:36:07:33:b5:02:1b:a2:b2:b4:ce:32:b9:68:37:36

The one I just got now

ac:7e:e4:5f:97:b8:7e:f0:0b:ac:a6:51:9f:ba:51:f0:ad:73:17:8b

It almost looks like MSN got a Man In The Middle attack or something strange like that, maybe their private key got leaked so they changed it quickly thinking nobody would notice ? No official information to be found (if someone knows of any official information let me know).

It seems that there is a patch for Ubuntu and it seems their solution was to manually add certs and stuff like that.. All this because MSN has/had an issue with their servers issuing different certificates at the same time.. Or something like that (MITM)..