Trusting trust.

April 3, 2004

A friend of mine recently had to write an essay about a classic CS paper. I sent him here and here, but if you’re in the market for a straightforward paper that will kick your head all the way off, you should look at this.

I tried a little experiment a few weeks ago with Mozilla’s security certificates, just to see what I could learn. It turns out there’s a bunch of names on that authority list including AOL, Verisign and others, none of whom I actually put in there. Honestly, why should I trust AOL? We’ve never even met. Thawte offers a service right there on the front page that lets you confirm that they are who they say they are, by validating themselves. Verisign offers to let me sign up for a “free trial certificate”, as does BeTRUSTED. For a while, Thawte had a big label on their front page that basically said “for ten thousand dollars, everyone will know they can trust you.” “” sends me to a web site that’s not Valicert at all, though they apparently still validate certs anyway.

None of these facts fill me with confidence.

And, on top of all that, I can’t revoke any of these master-certs in Mozilla proper. If you delete them in the certificate manager they just stay there. I had to strip them out of the source by hand and recompile to test it out my theory, that maybe I could get by without them, that I could decide for myself who to trust and who not to.

You know what? You can’t. And when people I do trust say that they’re uncomfortable with who’s being trusted, and people whose kung-fu is far more powerful than my own say that it’s all bullshit anyway, I’m ready to get concerned about whose trust I’m unknowingly trusting, and why.

In practical terms, after my trust-no-one, cigarette-smoking recomiple, what happened?

Nothing. Some of the sites I frequent that have a Paypal tip jar in them pop up a dialog saying that my transaction won’t be secure. That’s it. I can’t get rid of it, because in order to trust Paypal I have to choose to trust somebody else on the list, which kind of violated the spirit of the whole thing. It’s goddamned annoying, but that’s all it is.

And so I just don’t know what to do. I’d like to be security conscious, I run nessus on my machines after every upgrade, I keep track of what services are running, I check my logs. Sometimes bad things happen, but that’s life, and I fix it. But I don’t know what to do in the face of this information, given that my options seem to be “ignore it” and “no more browsing”.