kuix.de blog - Should we implement a CA-Knockout Add-On?

Links

Home
Contact
Stats
Main Homepage
RSS feed

Most Recent Comments

Paul Sladen
08/14/11
I just got the FortiGate CA/Fortinet MITM/SSL certification...

Erik
07/10/11
I agree with Robert, they probably prefer MITM'ing...

John Turner
07/01/11
I experienced the same issue yesterday on two different...

Robert Relyea
06/17/11
> I am able to find several reports about MITM for...

Administrator (Kai Engert)
06/17/11
Lior, I fully understand what the Fortigate appliance is...

Should we implement a CA-Knockout Add-On?

Tuesday, September 6, 2011, 04:39 PM
Posted by Administrator

I consider to implement a Mozilla Firefox/Thunderbird/SeaMonkey Add-On with the following functionality.
I'm striving for something that I (or we) could implement within a minimum amount of time, like 24-48 hours.

(1) it embeds my personal Code Signing certificate ("cert pinning").

(2) it (daily) pings a given URL, e.g. https://ca-knockout.kuix.de/knockout/latest.txt

The URL delivers plain text data, 3 rows.
- line 1: version number 1
- line 2: the number of the most recent knockout certificate (a steadily increasing number starting with 1)
- line 3: a base64 encoded signature, which signs the text contained in line 2

(3) the Add-On keeps track of the most recently download knockout certificate

(4) if the signature of the most recent knockout number is confirmed, then the addon will download all missing knockout certs
Let's say, the addon had previously downloaded knockout number 1, and the server now says latest knockout is number 3.
Then the Add-On will download the following URLs:

https://ca-knockout.kuix.de/knockout/2.txt
https://ca-knockout.kuix.de/knockout/3.txt

In particular we can use prefs like "most-recent-known-knockout-number"
and "most-recent-imported-knockout".

(5) Retry downloading each of them in order, until successful and until
most-recent-known-knockout-number equals most-recent-imported-knockout.

(6) the contents of the knockout files like 2.txt is plain text data, 3 rows:
- line 1: version number 1
- line 2: the knockout number (e.g. 2), a single space, and a base64 encoded certificate that should be marked as not trusted
- line 3: a base64 encoded signature, which signs the text contained in line 2

(7) import each knockout certificate that can be verified

(8) Add another feature to the Add-On - allow users to import the files like 2.txt and 3.txt directly, e.g. by copying the text into a dialog. With this feature, if a user is in an environment that blocks connections to host ca-knockout.kuix.de - then users could obtain the knockout instructions via other channels, such as email from friends, or any other source.

(9) make Add-On available and suggest that users install it

view entry ( 3843 views ) | permalink |

( 3 / 4277 )

<<First <Back | 1 | 2 | 3 | 4 | 5 | Next> Last>>