
ICSI Certificate Notary
Security researchers from the University of Berkeley, announced the creation of non-profit community ICSI Certificate Notary, which will support a single database with information on the validity of SSL-certificates.
Create a service certificate validation is an attempt to address the key architectural issues the certification process – with one of the hundreds of compromised certificates, collapsing the entire chain of trust (the attacker can generate a certificate dlyalyubogo site, which will be accepted as valid the entire system). ICSI Certificate Notary can detect these fraudulent certificates are in the early stages of their appearance.
On the basis of a year of automated inspection, sweeping statistics about 7.6 billion SSL-connections from 220,000 users, collected data on about 500 thousand certificates used by web-sites in the network. Data accumulated using several independent partner systems operating in different parts of the world. Information is updated in a continuous cycle that allows you to quickly track down the facts compromised certificates. Thus, using the ICSI Certificate Notary any user can verify that the certificate used to create the SSL-connection to a given site, this site is issued, and the customer is not embedded by attackers to intercept traffic organization.
Access to the service is organized into DNSBL. Checking the reputation of the certificate by submitting a request to the DNS-form “hesh.notary.icsi.berkeley.edu” where hash – SHA1-hash of the certificate validity is to be tested. In response will be returned to TXT-record with information about the validity of the certificate, and the time of the first and the last check (for example, “version = 1 first_seen = 15387 last_seen = 15646 times_seen = 260 validated = 1”). Certificate validation is organized with the activation of a project supported by the Mozilla repository for the root certificate.
Related inks:
http://notary.icsi.berkeley.edu/
http://blog.bro-ids.org/2012/11/using-icsi-certificate-notary.html