Hacker News new | past | comments | ask | show | jobs | submit login

Have you written about possible solutions? I'd be interested to hear them.



Wouldn't it be neat if there was a dialog somewhere in your browser that gave you the option of trusting anything Colin Percival trusted, or anything that the EFF trusted?


I had thought about something like this, sort of a combination of karma scores and netflix/pandora-style recommendations for ranking user content on sites like HN. I could say 'I like what tptacek has to say' and give your content a higher precedence for ME, rather than for the whole of the site user base. Others could say 'I dislike what tptacek has to say', and you get a corresponding drop for THAT USER, not everyone. Now add a chain - if I 'like' you, all that you 'like' gets a smaller, but significant bump for me, and so on. Add in 'OSCP' style repudiation if the source of your trust for someone changes their mind for any reason.

Moving this into authentication/trust - how do you 'start' something like this at an Internet scale, assuming actively hostile, nation-state level players, such as in this article? It seems very chicken-and-egg for something as critical as encryption and protection of important content.

Just thoughts - it seems there's some big issues I'm missing though, such as initial seeding for 'new' users en masse. I can also see the code to keep track of all the trust vectors, etc. becoming VERY complicated...


Seems like an awesome plan, but making it scale requires a lot of work. In this system, how do banks ensure their site shows up as secure in people's browsers? How do random sites of varying popularity?

Actually, for many people their bank seems like a good start for the trust chain; visit them in person and get the information you need for your trust root. And unlike the certificate companies, banks have end-users as their customers, not people who want certificates.


So start with the CAs, and then allow your friends and their friends and the EFF to subtract from that set.


A blacklist-based approach seems like a bad idea for security.


Blacklists are bad in authorization scenarios. But we're talking about authentication and trust.


Startup opportunity?

I'd consider subscribing to a few services that provided plausible claims to properly curate lists of ssl cert fingerprints for at least the majority of my security-critical domains. Even if it were just limited to the major internet properties (start with google/yahoo/amazon/paypal/twitter/facebook/etc), and add in major (and minor) banks, government institutions... If someone started up a service claiming to have telephoned the appropriate security people at those places and confirmed the cert fingerprints via non-internet/real-world-confirmable means, I'd certainly consider paying a few tens of dollars a year for that... Especially if it integrated nicely with a browser/os plugin.


And, hopefully, a way for Colin, the EFF, your friends, or Hacker News to say "Ummm, looks like the EFF trust list might have been compromised sometime in the last $n weeks..." and for you to be able to audit/rollback changes in that trust list, and/or compare changes with unrelated sources...




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: