Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
ocdtrekkie 2 days ago

Three browser companies on the west coast of the US effectively control all decisionmaking for WebPKI. The entire membership of the CA/B is what, a few dozen? Mostly companies which have no reason to exist except serving math equations for rent.

How many companies now run TLDs? Yeah, .com is centralized, but between ccTLDs, new TLDs, etc., tons. And domain registrars and web hosts which provide DNS services? Thousands. And importantly, hosting companies and DNS providers are trivially easy to change between.

The idea Apple or Google can unilaterally decide what the baseline requirements should be needs to be understood as an existential threat to the Internet.

And again, every single requirement CAs implement is irrelevant if someone can log into your web host. The entire thing is an emperor has no clothes thing.

tptacek 2 days ago | parent [-]

Incoherent. Browser vendors exert control by dint of controlling the browsers themselves, and are in the picture regardless of the trust system used for TLS. The question is, which is more centralized: the current WebPKI, which you say is also completely dependent on the DNS but involves more companies, or the DNS itself, which is axiomatically fewer companies?

I always love when people bring the ccTLDs into these discussions, as if Google could leave .COM when .COM's utterly unaccountable ownership manipulates the DNS to intercept Google Mail.

teddyh 2 days ago | parent [-]

> when .COM's utterly unaccountable ownership manipulates the DNS to intercept Google Mail.

Why is this more likely to happen than a rogue CA issuing a false certificate?

Also, Google has chosen to trust .com instead of using one of their eleven TLDs that they own for their own exclusive use, or any of the additional 22 TLDs that they also operate.

akerl_ 2 days ago | parent [-]

When a rogue CA issues a bad cert, they get delisted from all major browsers and are effectively destroyed.

That isn’t possible with .com

teddyh a day ago | parent [-]

The DNS is federated and hierarchical. A domain name (including top-level domains) is controlled by a single entity. If you do not trust that entity, you cannot trust that domain or top-level domain, or anything beneath that in the tree. But given that you trust the root zone, you can still (potentially) trust other subtrees in the DNS, like other top-level domains.

This is not the case with a CA, however; you are forced to trust all of them, and hope that when fradulent certificates are issued (as has happened several times, IIUC), that they will not affect you.

akerl_ a day ago | parent [-]

In fact you don't have to trust any of them, since browser root stores enforce certificate transparency.

But also the issues of segmentation are pretty much a total shift of the goalposts from what we were discussing, which is what actually happens when malicious activity occurs. In DNS, your only option is to stop trusting that slice of the tree and for every site operator to lift and shift to another TLD, inclusive of teaching all their users to use the new site. In WebPKI, the CA gets delisted for new certificate issuance and site operators get new certificates before the current ones expire. One of those is insane, and the other has successfully happened several times in response to bad/rogue CAs.