This talk will describe the Sovereign Key system, an EFF proposal for improving the security of SSL/TLS connections against attacks that involve Certificate Authorities (CAs) or portions of the DNSSEC hierarchy. The design stores persistent name-to-key mappings in a semi-centralised, append-only data structure. It allows domain owners to deploy operational TLS keys without trusting any third parties whatsoever, and gives clients a reliable way to verify those keys. The design can also be used to automatically circumvent a large portion of server impersonation and man-in-the-middle attacks, avoiding the need for confusing certificate warnings, which users will often click through even when they are under attack. The Sovereign Key design bootstraps from and reinforces either CA-signed certificates or DANE/DNSSEC as a method of publishing and verifying TLS servers' public keys. Conceptually, it provides functionality similar to what could be obtained if HTTPS servers could publish special headers saying "in the future, all new public keys for this domain will be cross-signed by this key: XXX", but the design includes a number of necessary additional features, including a secure revocation mechanism, protection against false headers that an attacker could publish after compromising an HTTPS server, and support for protocols other than HTTPS (SMTPS, POP3S, IMAPS, XMPPS, etc). Sovereign Keys allow clients to detect server impersonation and man-in-the-middle attacks even if the attack involves compromise or malice by a CA or DNSSEC registry. But Sovereign Keys also allow for automatic circumvention of these attacks via proxies, VPNs, or Tor hidden services.
Secdocs is a project aimed to index high-quality IT security and hacking documents. These are fetched from multiple data sources: events, conferences and generally from interwebs.
Serving 8166 documents and 531.0 GB of hacking knowledge, indexed from 2419 authors from 163 security conferences.