1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950 |
- SSL's trust model is quite centralized in practice, which some people consider a
- weakness or a result of bad design. Although anyone can become a Certificate
- Authority, your web browser trusts only a specific predefined group of CAs, and
- they're managed by large companies which:
- 1. Require you to pay for most of their services (sometimes you can get free but
- limited service)
- 2. Require a lot of personal information about you
- Maybe the worst thing is the fact that trust is established without actually
- knowing each other, i.e. the fact some website is trusted by the web browser
- doesn't mean you can trust it. For example, the websites of Google and Facebook
- use signed certificates which your web browser probably trusts automatically,
- without asking you. At the same time, they both collect private user data, apply
- censorship, report to the NSA, use your pictures to create advertisiments and so
- on. Do they sound like people/services you can trust as a user? Probably not.
- The good news: You can add new certificates to the web browser! Therefore, as a
- client, you can decide whom you trust and whom you don't. It's not something
- many people do, and the interface may sometimes not be the most friendly, but
- it's important to have it.
- You may guess managing certificates manually is difficult and cumbersome, even
- with a GUI (like what Iceweasel and Evolution offer, for example). It's true,
- there are many many websites on the internet, made by many different people, and
- managing all the certificates manually is impossible. Instead, you can tell your
- browser to determine who is trusted, using [[!wikipedia PGP]].
- PGP allows you to use trust signatures in a *transitive* manner. In simple
- words, while you still mark websites you trust, you can also choose to trust
- people you know (e.g. your friends) and your browser will automatically trust
- the website they trust as well, making the work of marking trusted websites
- *collaborative* and much faster. If you have a community of people trusting each
- other in the PGP sense, using PGP for web service authentication not becomes
- much easier - and you don't need to rely on some potentially-greedy large
- companies to tell you who's okay and who isn't!
- Therefore, as a client you have two tools to help you use the web securely:
- 1. Add CA certificates manually
- 2. Use PGP
- The PGP integration is relatively new, and is implemented by a free software
- project called Monkeysphere.
- As a service provider, you can help promote the transition to a decentralized
- system by avoiding the centralized and commercial CAs and using your own CA
- instead, and by getting Monkeysphere support. This guide explains how to enable
- Monkeysphere for your SSL certificates.
|