Convergence



All timestamps are based on your local time of:

Posted by: stak
Tags:
Posted on: 2011-11-09 08:30:01

You may have heard of Convergence, an SSL-replacement which replaces the centralized CA-chain architecture with a more decentralized notary-based architecture. You can specify which notary servers you want to use, and those servers are used to verify that the SSL certs your browser loads aren't being tampered with.

There are a number of things that I find particularly cool about this. The most obvious is the decentralized architecture, which should come as a surprise to nobody reading this blog. The first thing I did was get my own notary server up and running, which turned out to be pretty easy using an EC2 instance. If you want to use it, here is a link to the notary file.

The next think I like about it is that it comes with an SSL fingerprint cache on the client side, which by itself could eliminate spoofing on sites you visit frequently, since you'll have the fingerprint cached and can detect if the SSL cert you're getting doesn't match.

And finally, I like how simple to use it is. Assuming you're using Firefox, anyway. Just download the add-on and that's pretty much it. If you understand the architecture of the system, all the configuration options are intuitive and what you'd expect.

Anyway, I recommend you give it a whirl. I've only found one problem with it so far (I can't access my router via SSL while it's enabled) but that seems to be a bug in the router's SSL implementation that I'm trying to track down.

Posted by varun at 2011-11-12 23:06:45
And finally, I like how simple to use it is. Assuming you're using Firefox, anyway.

Unless you don't have the add-on and Fx refuses to even let you open the site any longer, since it's self-signed. Something changed between Fx7 and Fx8, because now the only option is "Get me out of here" for self-signed sites :( Had to get Safari open to connect to my router's management page.
[ Reply to this ]
Posted by stak at 2011-11-13 10:27:48
Which site is self-signed? The convergence website doesn't even have https.
[ Reply to this ]
Posted by varun at 2011-11-13 16:33:21
Try hitting your own notary server - Fx8 doesn't allow you to accept the certificate OOB. :(
[ Reply to this ]
Posted by stak at 2011-11-14 08:32:25
I'm not seeing the issue. Complete steps to repro? Actually, if you think it's a bug in Fx8 you might as well file a bug in Bugzilla. Let me know the bug number.
[ Reply to this ]
Posted by varun at 2011-11-14 09:19:59
0. Disable add-on for Convergence.
1. Visit notary.staktrace.com.
2. "Where's my 'I understand the risks' 3-annoying clicks button?!"
3. :(

Btw, a lot of your captchas are adding up to 79. This is the third I've seen in the last 48 hours.
[ Reply to this ]
Posted by stak at 2011-11-14 13:05:38
Ah, I see now. This may be a bug in Fx8, but regardless, you shouldn't be visiting notary.staktrace.com directly anyway. It's a notary server, not a web server. To add it to Convergence, you have to (1) enable the Convergence add-on, (2) click on the link to the notary file in my post above, and (3) click ok a bunch of times.
[ Reply to this ]
Posted by varun at 2011-11-14 14:49:47
For sure, but you know me, I like to poke around :)

Now, when do we get Convergence built into Fx? :)
[ Reply to this ]

[ Add a new comment ]

 
 
(c) Kartikaya Gupta, 2004-2023. User comments owned by their respective posters. All rights reserved.
You are accessing this website via IPv4. Consider upgrading to IPv6!