Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Hacker and Security Gadfly Moxie Marlinspike

timothy posted more than 2 years ago | from the pre-thanksgiving-treat dept.

Android 70

As a security researcher, Moxie Marlinspike has played a big role in explaining what can go wrong in using Certificate Authorities to authenticate SSL traffic, an issue that's been top of mind this year thanks to compromised and faked certificates. On that front, he's lately come up with a system designed to circumvent CAs entirely, which means bypassing compromised (or invidious) authorities, rather than trying to patch the CA system. Another line of research, but not the only one, is mobile security and privacy; his Whisper Monitor Android firewall, released earlier this year, gives Android users notifications (and fine-grained permissions) when apps — including location-tracking or malware apps — want to make outbound connections. Possibly related: Moxie can also speak first-hand about what new border-search policies mean for travelers, having had his laptop and phones seized on returning to the U.S. from a trip. (And by the way, he's also an accomplished sailor and film-maker.) Moxie's agreed to answer your questions. Ask as many questions as you'd like, but please, be kind of rewind^wask don't ask unrelated questions in the same post.

Sorry! There are no comments related to the filter you selected.

I got one! (-1)

Anonymous Coward | more than 2 years ago | (#38150566)

How do you sleep at night knowing that internet pedophiles and criminals use your tools to hurt and victimize innocent people?

Here's my question: (-1)

Anonymous Coward | more than 2 years ago | (#38150604)

Will you suck my cock?

Re:I got one! (1)

The Master Control P (655590) | more than 2 years ago | (#38154738)

Probably the same way every maker of guns, or claw hammers, or rope, lock jimmys, or any other physical item does: It's a tool which has no moral standing. It's your fault if you are a douchebag, pedo or sociopath, not the tool's.

Re:I got one! (1)

tehcyder (746570) | about 2 years ago | (#38156662)

Probably the same way every maker of guns, or claw hammers, or rope, lock jimmys, or any other physical item does: It's a tool which has no moral standing. It's your fault if you are a douchebag, pedo or sociopath, not the tool's.

So what are the legitimate uses of this tool then? I have no interest in searching for information myself on something created by anyone with such a stupid name.

Incidentally, "tools" such as landmines, thumbscrews, mustard gas or H-bombs have only one real use. Not all tools are neutral.

What is up with the name? (-1, Offtopic)

chiBrian (2089894) | more than 2 years ago | (#38150584)

Did your parents come up with that or did you creatively re-name yourself at some point?

Re:What is up with the name? (3, Informative)

Rary (566291) | more than 2 years ago | (#38150668)

From this interview [therevolut...itised.com] :

Heather Brooke: Maybe if you could just tell me what you do. Have you created this name as well?

Moxie Marlinspike: No that’s my name. It’s my really real name.

H: Were you born with it?

M: I wasn’t born with it but it is a real name.

H: So you changed your born name to this one.

M: For all intents and purposes this is my real name.

I don't think he wants anyone to know his birth name.

Re:What is up with the name? (0)

Anonymous Coward | more than 2 years ago | (#38150764)

M: I wasnâ(TM)t born with it but it is a real name.

H: So you changed your born name to this one.

M: For all intents and purposes this is my real name.

I don't think he wants anyone to know his birth name.

Or maybe he was born first, then named...

Re:What is up with the name? (0)

Anonymous Coward | more than 2 years ago | (#38150850)

His real name is Marx Marvelous.

Re:What is up with the name? (-1)

Anonymous Coward | more than 2 years ago | (#38152188)

Moxie, you're ugly as fuck. However, you are a hacker with a cute name, so I bet you pull mad pussy.

So tell us about all the chicks you've banged over the years.

Re:What is up with the name? (0)

Anonymous Coward | more than 2 years ago | (#38155438)

Hackers get mad pussy, huh?

I think you need to stop watching Hugh Jackman movies.

Re:What is up with the name? (0)

Anonymous Coward | more than 2 years ago | (#38152210)

Sheesh. Because his real name isn't really actually real even though he says it's real, it's actually a fake name and his birth name is his real name.

Humans.

How have you managed to survive (-1)

Anonymous Coward | more than 2 years ago | (#38150586)

with such an amazingly awesome name? Did your parents fight dinosaurs with lasers and jetpacks?

Is dissent, like the gadfly, easy to swat? (2)

elrous0 (869638) | more than 2 years ago | (#38150608)

And also, how do you feel about hemlock?

WhisperCore (5, Insightful)

dark_requiem (806308) | more than 2 years ago | (#38150626)

I really like the idea behind WhisperCore. The problem, as I see it, is that it's only available for two devices, and the Android source is updated regularly, making it difficult to keep WhisperCore up to date with the latest version of Android. Also, there are a wide variety of existing ROMs, each sporting its own array of features, but WhisperCore is the only one focusing on full-device encryption and a quality firewall interface. Given that security is becoming more critical on mobile devices, I would love to see WhisperCore's functionality integrated into every ROM. Have you given any consideration to integrating the WhisperCore project into an existing community such as CyanogenMod, or opening the source to build a community around WhisperCore? It would definitely help with making it available on more devices.

Re:WhisperCore - why not OSS? (1)

nullchar (446050) | more than 2 years ago | (#38153644)

Are there business or technical reasons you do not want to open the source code for WhisperCore or any of the sub-projects like WhisperMonitor?

Re:WhisperCore (0)

Anonymous Coward | about 2 years ago | (#38156526)

It confuses me why a security researcher would release software without making the source code freely available for download. Why should we trust that Whispercore isn't backdoored? Has there been any independent code review whatsoever? What about TextSecure and RedPhone? Why can't I get the source code for those?

WhisperCore and WhisperMonitor are all well and good, but more than 99% of Android users can't even think about installing them because WhisperCore is only available on two phones. Effort would be far better spent adding security/privacy features to CyanogenMod. Oh, make that 100% actually. I've just noticed that you can't even download Whispercore at the moment: http://whispersys.com/whispercore.html "Temporarily Unavailable". I wonder if that means days, weeks, months or years? Whispercore has been "coming soon" to other phones since it was released, with no actual explanation as to when that will be or which phones it will be for.

Software development skills = Excellent. Project management skills = Terrible.

Re:WhisperCore (1)

cool_arrow (881921) | more than 2 years ago | (#38179426)

Agree. I don't know why people trust this non-source code releasing security researcher. Could be a social experiment to see how many idiots can be duped into installing this particular brand of spyware voluntarily.

Most Important question... (0, Offtopic)

Anonymous Coward | more than 2 years ago | (#38150632)

Who does your hair?

CarrierIQ (5, Interesting)

nnet (20306) | more than 2 years ago | (#38150636)

Does Whisper Monitor stop CarrierIQ as well?

Whisper Monitor (2)

dark_requiem (806308) | more than 2 years ago | (#38150648)

As a followup to my previous question, have you considered releasing Whisper Monitor as a standalone app for rooted devices, rather than integrating it exclusively with WhisperCore?

Sup (-1)

Anonymous Coward | more than 2 years ago | (#38150686)

Sup, dude?

Wildcard rules (5, Interesting)

PacoBell (1569041) | more than 2 years ago | (#38150734)

Moxie, please oh please add the ability to use wildcards for a range of IPs and subdomains. The tedium of creating rules ad nauseum for certain CDNs outweighs the utility of the firewall itself. This is a major usability issue. Please look into it. Thanks.

Re:Wildcard rules (0)

Anonymous Coward | more than 2 years ago | (#38151236)

Wildcards, or CIDR notation?

Why is it that prominent security researchers (2)

al0ha (1262684) | more than 2 years ago | (#38150740)

Why is it that prominent security researchers have names like Moxie, Trevor and Tavis and not Bob, Alice or Walter?

Re:Why is it that prominent security researchers (2)

lister king of smeg (2481612) | more than 2 years ago | (#38151344)

because bob and alice are the people sending encrypted data to each other and trying to keep carman from listening in. walter? who is that?

Re:Why is it that prominent security researchers (2)

al0ha (1262684) | more than 2 years ago | (#38151716)

Walter, a warden, may be needed to guard Alice and Bob in some respect, depending on the protocol being discussed.

Re:Why is it that prominent security researchers (1)

DMUTPeregrine (612791) | more than 2 years ago | (#38155404)

How about Brian (Krebs) and Bruce (Schneier)?

Multi-Platform Software for Sodomy (-1)

Anonymous Coward | more than 2 years ago | (#38150814)

I want to sodomize someone but don't know how to do it. Can you give me any pointers? What are some good software solutions in this field?

Do you seriously believe (-1, Troll)

Fnord666 (889225) | more than 2 years ago | (#38150824)

Do you seriously believe that a hacker handle with phallic overtones lends you any sort of credibility whatsoever?

Re:Do you seriously believe (1)

Anonymous Coward | more than 2 years ago | (#38150990)

Do you seriously expect a community evaluated primarily on merit not to mod you troll?

What have *you* accomplished?

They have handles. There's a reason they have handles. The handles tend to persist assume nobody screws up. Their credibility is based wholly upon their claimed past and present actions.

The guy is an accomplished sailor. Sailors tend to use marlinspikes.

Even if it wasn't a crap question I think /you're/ the one projecting phallic thoughts...

Keep feeling special, cupcake.

Re:Do you seriously believe (0)

onkelonkel (560274) | more than 2 years ago | (#38151164)

whoosh

Who writes your paychecks? (5, Interesting)

SirGarlon (845873) | more than 2 years ago | (#38150948)

From your Web site it looks like you've worn a number of hats. How do you mainly earn your living -- by penetration testing, developing software as a contractor, or what? Or do you have a day job? (I won't ask where). Do you have any advice for software engineers seeking an independent career?

Re:Who writes your paychecks? (1)

tusam (1851540) | more than 2 years ago | (#38153280)

At least he sells the WPA Cracker service, but from the stories section of the site, regarding the years of hitchhiking, train hopping, squatting and sailing on a shoestring budget, it could be guessed that he might not be overly concerned of a regular paycheck.

Thoughts on TLS-SRP as a partial solution? (2)

WaffleMonster (969671) | more than 2 years ago | (#38150962)

Most secure sites we normally depend on require you to establish an account. Rather than sending our passwords in the "clear" over SSL as everyone is foolishly doing today couldn't part of this problem be solved using trust previously established between you and the site in the form of mutually authenticated credentials?

The best case example would be an online banking site first requiring you to physically come into the office with proper ID. There would no longer be any need for this bank to need to trust or use any third party.

TLS-SRP RFCs have already been written, SSL stacks used by all popular browsers already patched with support... obviously this does not fully eliminate the need for trusted third parties.

Using UPS (2)

koan (80826) | more than 2 years ago | (#38150978)

For traveling in and out of the USA is using UPS or some other shipping a good idea for moving your laptop to your destination?

Convergence and adoption (0)

Anonymous Coward | more than 2 years ago | (#38151044)

I love the idea of Convergence. The big issue is adoption rate. How do you plan on getting "companies that cannot fail" to adopt this instead of the existing CA model?

Hope for the Future (2, Interesting)

Anonymous Coward | more than 2 years ago | (#38151070)

As a security researcher myself - albeit an unknown one - I find myself constantly looking around at the state of security in our always-online world. To say the least, striving for a goal of security where nothing is ever actually secure is disheartening, something akin to a donkey chasing an inedible plastic carrot.

While the cat and mouse games between genuine rob-your-grandmother criminals and (hopefully) 'honorable' types continue today, is there really any hope that this situation won't eventually just escalate into a forced-at-birth Orwellian nightmare?

Web of trust versus online consensus (4, Interesting)

DamnStupidElf (649844) | more than 2 years ago | (#38151260)

PGP provides a model for partial trust in a public key based on the trust placed in signers of that key. I think a similar model would work much better for SSL certificates than either the current forest of fully trusted root CAs or projects like Convergence because it would allow long term trust in entities instead of merely the ephemeral keys used for SSL connections while also providing offline security and the ability to separate the keys used for privacy and identification.

If I wanted to validate the hypothetically secure https://slashdot.org/ [slashdot.org] I would be happy seeing an SSL certificate signed by Geeknet's PGP key (assuming they cared enough to be in the strong set), but even happier if it was also signed by a couple certificate authorities and some other folks in the strong set. I would assign partial trust to each of the certificate authorities' root certificates and use PGP to measure the partial trust of other signatures and set a threshold for the security of any SSL site, perhaps requiring "full trust" for automatic acceptance of an SSL certificate, a warning for marginal trust, and a bigger warning for anything less.

One of the primary advantages is separation of privacy and identification; the private key for identifying an entity would only be used to sign SSL certificates, reducing the likelihood of an attacker compromising an identity certificate. Notaries, as in Convergence, would simply be entities who sign a large number of SSL certificates after verifying the owner's identity through the existing trust network. The advantage for notaries is that they would not need to keep their private keys online and would only serve signatures. SSL sites could also just include the signatures in the initial SSL/TLS exchange, shifting bandwidth costs to the entities that benefit from the signatures. Site owners could also pre-distribute new SSL keys to certificate authorities and notaries to obtain signatures similar to the way that the existing PKI works, without relying on projects like Convergence to correctly identify a legitimate key change through heuristics.

The biggest advantage is a much more robust framework for trusting the privacy and identify of web sites. The likelihood of obtaining fraudulent SSL certificates signed by enough entities to achieve full trust is much lower than the likelihood of compromising a single fully trusted root CA or tricking a Convergence-style network into trusting a fraudulent SSL certificate by DNS poisoning or other methods.

Do you think this is a workable and, if so, good idea?

Re:Web of trust versus online consensus (1)

OneMadMuppet (1329291) | more than 2 years ago | (#38151512)

I do. [slashdot.org]

Re:Web of trust versus online consensus (0)

Anonymous Coward | more than 2 years ago | (#38152032)

Check this out for a start: http://web.monkeysphere.info/

Or to put it another way: why not Monkeysphere? (2)

anarcat (306985) | more than 2 years ago | (#38152788)

There is a project called Monkeysphere [monkeysphere.info] which have been working on doing this and much more with PGP for a while. They support SSL certificates in the browser (with some difficulty) and SSH host keys authentication, and generally aim to bridge the PGP web of trust with other tools to decentralize the work of certification authorities.

How does Convergence compare with Monkeysphere? Why didn't you collaborate with the Monkeysphere project instead of starting your own?

Re:Or to put it another way: why not Monkeysphere? (1)

DamnStupidElf (649844) | more than 2 years ago | (#38153740)

As usual, smarter people have already implemented my ideas. It's nice that they fixed ssh too.

WhisperMonitor primitives (1)

postbigbang (761081) | more than 2 years ago | (#38151296)

It seems to currently work on Nexus and nothing else. Are you going to give community guidance as to how to sandbox the OS or calls, so that others can watch the cockroaches? I don't even mind rooting the phone, if I can find ways to get a mirror of application outbound system calls documented. Sure would be nice......

security and society (2)

xappax (876447) | more than 2 years ago | (#38151412)

In addition to being a very sharp security researcher, you seem to have a strong interest in issues of social and political control.
What emerging security trends do you see as being most important or helpful for authoritarians (at home and abroad)?
What security trends are most important for anti-establishment movements?

Hold Fast (1)

Anonymous Coward | more than 2 years ago | (#38151418)

Hold Fast inspired me to learn more about sailing and eventually join a crew and earn my sea legs (see http://www.instructables.com/id/How-to-Get-a-Free-Yacht/). I'm also involved in seasteading (http://seasteading.org) and Ephemerisle (http://ephemerisle.org). I'd love to hear your thoughts on security, survival and life on the open sea. Would you consider joining us at the next Ephemerisle on the Sacramento River in June 2012? If you don't have one of your own, you'd be most welcome to stay on our boat!

GoogleSharing (0)

Anonymous Coward | more than 2 years ago | (#38151480)

Are you still hacking on GoogleSharing Proxy or would you call it a finished product? Related to this: A year ago you said a chrome version is on its way, so will there be an extension for Google Chrome or even a browser-independent solution anytime soon?

Personal question unrelated to hacking (-1)

Anonymous Coward | more than 2 years ago | (#38151524)

Will you please eat the corn niblets out of my shit?

your movie (0)

Anonymous Coward | more than 2 years ago | (#38151998)

ok, what *really* happened with you and those two chicks on the boat?

Two Questions: (0)

Anonymous Coward | more than 2 years ago | (#38152352)

1> Why do you bugdoor the software you release? Why do you need a covert, plausibly deniable way to hack into everything you create?

2> Why do all your Whisper Systems apps make an encrypted connection back home? I've put them behind a sniffer and they sure are sending a lot of traffic to you when I send an encrypted SMS... it doesn't really need to do that, of course...

bl^^gr^^whitehats unite!

Is everyone just re-inventing _parts_ of the WoT? (1)

Sloppy (14984) | more than 2 years ago | (#38153122)

It seemed to me that what Perspectives notaries do, as expressed in OpenPGP-speak, is act as sophisticated Robot CA. (Is this wrong?) Is a Convergence notary "merely" a more sophisticated Robot CA, or does it provide information which couldn't be represented in a Web of Trust?

Squatting San Francisco? (0)

Anonymous Coward | more than 2 years ago | (#38153576)

I've read some of your stories about living in squatted buildings around San Francisco. Can you tell us a story about your favorite housing situation?

bootstrapping -- notary trust (1)

Onymous Coward (97719) | more than 2 years ago | (#38153904)

Do you see the matter of how users come to trust the notaries themselves as a concern? What methods do you see for assuring users that a list of notaries is in fact recommended by a given party? I see notaries distributed with the Convergence plug-in (is the distribution signed?), but doubtlessly that's not meant as a steady-state solution as it does not promote trust agility.

Have you considered notary list configuration based on "subscriptions" a là AdBlock lists. For example, if the EFF periodically published a signed "EFF Trusted Notaries" list, as one of a number of organizations doing so?

And how much is a working web of trust required for this? Do you feel there is one?

Did you ever get sea-sick? (0)

Anonymous Coward | more than 2 years ago | (#38153948)

Hi Moxie,

I'm currently fixing up my first boat, a 30' run down Roberts having survived a "let's learn to sail or sink" on a 24 footer.

Have you done much work on boat hacking? I find it's great for getting my trade-skills up to speed to match my hacking/sys-admin skills.

Have you got any good yarns from your sailing - any storms and any sea-sickness?

Fair Winds,

Hardware for the traveling hacker (1)

capnkr (1153623) | more than 2 years ago | (#38153958)

Hi Moxie -

I'd be interested to know more about the hardware and/or platform you use on a daily/regular basis to do your work/research. I would assume that with your 'itinerant' lifestyle you have had to make choices and compromises in this area. IIRC, you "temporarily bought" ;) a laptop to edit Hold Fast, but that isn't something you do on a regular basis - is it? Are there any suggestions/tips/tricks about hardware or methods that you'd care to share for the traveling hacker with the above in mind?

As an aside - Thanks for all the good work and entertaining tales! :) Been using that Capt's license much lately?

miscellaneous topical ideas (1)

Onymous Coward (97719) | more than 2 years ago | (#38154050)

I don't expect this list to make it as one of the high-rated questions; I'm just offering it as food for thought and in the off chance that Mr. Marlinspike would find interest in addressing any of its ideas.

Automatic Vetting of Notaries
What if the software monitored performance of notaries over time (checking concordance, availability, misbehavior of whatever sort, etc.) and internally rated the notaries, even disabling (and perhaps reporting) badly behaving ones?

Redundancy
What about a configuration option that makes a plug-in fallback to using the existing CA system (perhaps with warning) when insufficient notaries are available?

Names
Is Convergence a plug-in or a protocol or a system or any/all of these? If the system and protocol prove viable and a different plug-in is created by others, should they say they use the "Convergence system and protocol"?

Inherently Distributed
What about the option for the plug-in to double as a notary itself, vaguely resembling a Bittorrent-like distribution of client/server responsibility? Maybe have plug-ins report their sites pseudonymously to central repositories? (I imagine such pseudonymy would be very fragile.)

Current CA System Reform — Multiple Signatures
I'm guessing by your seeming politics that reform may not be considered as workable as wholesale change, but... Do you think allowing multiple signatures on SSL certs would enhance trust agility in any practical way (perhaps by allowing easier delisting of previously too-big-too-fail CAs)?

Signatures In A Notary-Based Landscape
What about the idea of allowing signatures from (multiple) notaries to be imported into a site's certificate? Thus the user's software may not need to perform the notary queries (increasing resource consumption and (theoretically) information leakage) if the certificate is already signed by user-trusted notaries. (Could this encourage consolidation into a system virtually the same as the current CA model?) (Could this be used in profiling a user's trust relationship to notaries?)

Relation To Perspectives
What is your system's relation to Perspectives. Was their work seminal?

how bad is it? (1)

Onymous Coward (97719) | more than 2 years ago | (#38154098)

How insecure would you say the current CA model is? Looking at the fundamentals (logical OR of 600 CAs v. bell curve of their performance) I feel like it's "well and truly fucked".

How relatively secure would you say the Convergence system (as a concept) is? (Or if you want to address the actual implementation's relative security, please do.)

Sailing Advice (0)

Anonymous Coward | more than 2 years ago | (#38154208)

I've seen your movie, Hold Fast, and am interested in how you learned to sail? Did you guys really just go down there and learn as you go? Do you have any advice for those of us thinking about taking to the sea?

Social Movement (0)

Anonymous Coward | more than 2 years ago | (#38154572)

Moxie,
What social movement leader has most inspired you to work as an "off the grid" type of person?

If you're every sailing in the Keys (0)

Anonymous Coward | more than 2 years ago | (#38154888)

Give a shout out & I'll stand you the sprit of your choice.

RedPhone and TextSecure? (0)

Anonymous Coward | more than 2 years ago | (#38155260)

Have you pulled RedPhone and TextSecure from the Android Market? I can't locate them on the via Web or QR. I couldn't find any information on the web, FAQ etc.

How do we know you are a whitehat? (0)

Anonymous Coward | about 2 years ago | (#38156066)

How do we know you are a whitehat? In particular, how do you make money?

Why not more Maritime Security Studies? (0)

Anonymous Coward | about 2 years ago | (#38156394)

1.)Rogue Warrior is supposedly truthful fiction. Why not write a fiction novel?
2.)Cruise Ships and Big ships tend to rely on Windoz. Why not teach on the BIG ship?
3.)Ocean sailing is hands on when it comes to rogue waves. Why not write on
the 2003 Electrical Blackout caused by BAD GE Display Software causing human
perception failure?
http://www.wired.com/threatlevel/2008/05/did-hackers-cau/

4.)Death may come easily. Where have you been 'BLACK SWAN' surprised?

5.)Bruce Lee JKD: Attack can be a form of defense and Gracie JJ: defense a
form of attack. Why is most of your work in 'DIRECT' attack?

6.)There are single, double and triple agents. Which one(s) do you claim to be? Why?

7.)Maritime law and NOT U.S. law would govern on the high seas. When can I rent an
internet server on a nuclear powered ship named Jules Verne?

8.)While sailing, how long should you stay awake or 'sleep standing up' while steering boat?

9.)How would you teach a dolphin to 'program' or perform NEW complex task set. Can you
teach it to successfully attack a 'weakened' shark?

Choice of name (1)

Alioth (221270) | about 2 years ago | (#38156976)

Completely unrelated to your work, but the name "Moxie Marlinspike" sounds wonderful. It's obvious why you chose "Marlinspike", after all as a sailor it's an object that you may have found useful (and it's not that uncommon to have a last name that is a tool or a trade). But the first name you chose - why did you choose it? Looking around for references to Moxie the most prominent one is for one of the earliest carbonated beverages sold in the world, which doesn't sound too probable as an origin.

occupy movement (0)

Anonymous Coward | about 2 years ago | (#38159654)

What is your opinion regarding occupy wall street and similar events taking place these days?

Switch from Perspectives? (1)

Burz (138833) | more than 2 years ago | (#38163348)

Hello Moxie,

I'm already using the Perspectives extension (and not sure what benefit I'm getting from that)... Why should I switch from Perspectives to Convergence?

Self-signed certificates (0)

Anonymous Coward | more than 2 years ago | (#38173338)

In early November, the Southern Nevada Health District shut down [lasvegassun.com] a "Farm-to-table" dinner hosted at a farm, because the farmer didn't have receipts for the vegetables and meat that came from the farm. (Strangely, they didn't question the imported alcohol.)

Among other things, this story reminds me of all the problems around self-signed certificates.

There were plenty of people who trusted the farmer, and didn't need health district approval before consuming the content.

Do you think browsers should choke over self-signed certificates? Should consumers beware?

Has Convergence lost buy-in from its allies? (0)

Anonymous Coward | more than 2 years ago | (#38199740)

Is Convergence foundering due to a lack of buy-in from trustworthy allies?

In your BlackHat 2011 talk [youtube.com] you announced Convergence [convergence.io] as a new way to establish trust on the internet to replace the SSL/Certificate Authority approach that has been shown to be so broken with the recent compromises of CAs like Comodo and Diginotar. Yet potential allies, some of whom admit that SSL has failed to meet its purpose and needs fixing, have not bought in to Convergence. Notably these include Google's Chrome security people [imperialviolet.org] and apparently the EFF (who has proposed a different solution instead [eff.org] ).

While the list of Convergence notaries [github.com] is still growing, there is so far a lack of support from the kind of allies like the EFF who could lend credibility and tip momentum toward widescale adoption of Convergence as a solution to the SSL/CA problem. Is Converence wilting on the vine?

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?