Privacy by Default.

Why p≡p project isn't reachable via commercial HTTPS

TL;DR because commercial HTTPS isn't secure against surveillance. Here is why.

HTTPS, the encrypted way to reach a website, technically is based on TLS (formerly known as SSL), which itself is based on an encryption standard named X.509. As noticed by the public its most used implementation OpenSSL had big issues in security. But that is not the reason why p≡p project decided not to support commercial HTTPS.

Actually there is a security design flaw in X.509; it's not a design flaw in a technical perspective, but in a political one: HTTPS and TLS are following the X.509 idea of trusting in commercial CAs. That is the idea, that companies are checking identities of people and other companies which want to offer services via the web. It is the one that your web browser has a list of such CAs which you're implicitely trusting in, that they do this job best. If you want to see that list, all common web browsers can show it to you, and you can influence there. With i.e. Mozilla Firefox you can reach it in Preferences, Advanced, Encryption, View Certificates, Authorities. There you can see that you're implicitely trusting (even if you don't know) CAs from TÜRKTRUST over China Internet Network Information Center up to US companies like Wells Fargo WellsSecure, which can be forced to cooperate with Intelligence services via Section 215 Patriot Act. And it's even worse: if only one single CA isn't trustworthy, it can make all other CAs just useless, because each CA can create a certificate for all web addresses, and you're implicitely trusting all of them.

People are just now trying to improve that a little by counter measures like Certificate pinning, but all in all it's just flawed. There is an alternative, though.

The alternative in X.509/TLS/HTTPS is CAcert. They're trying to use X.509 by implementing a Web of trust like it is done with OpenPGP. So people of trust are checking manually everything, or you will not get a certificate for your website at all. This is not perfect either, though. But it is the better alternative. That's the reason why p≡p project's home page is reachable with an CAcert based certificate. This only will make you more secure if you remove all the commercial CAs. Adding the CAcert Root certificate alone does not help very much. Adding the CAcert root does not do any harm, but by removing the others HTTPS is getting nearly unusable in practice, because that will bring you a lot of problems attaching common web sites, so we're stuck here a little unfortunately. For us here at p≡p it's important that you know, and if you read until here you now know that you shouldn't trust too much ;-) You may play around with some Certificate Addons, though. Some of them are available for other browsers, too.

BTW: p≡p is neither using a Web of trust nor a CA infrastructure itself for encryption as default – trust management with p≡p is Peer-to-peer.

(Volker Birk)

published Sat, 20 Sep 2014 11:41:06 +0200 #background #ca #certificate #https #ssl #tls #weboftrust #x.509

back to the index