Certificate Transparency Sites
I may not have said much more about Certificate Transparency, but we’ve been working on it. So, those interested in following along (or joining in) are welcome to look at…
Website.
Mailing list.
Code repository.
The code repository also inc...
An Efficient and Practical Distributed Currency
Now that I’ve said what I don’t like about Bitcoin, it’s time to talk about efficient alternatives.
In my previous paper on the subject I amused myself by hypothesizing an efficient alternative to Bitcoin based on whatever mechanism it uses to achieve consensus on checkpoints. Whilst this is fun, it is pretty clear that no such...
Bitcoin is Slow Motion
OK, let’s approach this from another angle.
The core problem Bitcoin tries to solve is how to get consensus in a continuously changing, free-for-all group. It “solves” this essentially insoluble problem by making everyone walk through treacle, so it’s always evident who is in front.
But the problem is, it isn’t really evident. Slowing everyone down doesn’t...
Bitcoin 2
Well, that got a flood of comments.
Suppose I take 20 £5 notes, burn them and offer you a certificate for the smoke for £101. Would you buy the certificate?
This is the value proposition of Bitcoin. I don’t get it. How does that make sense? Why would you burn £100 worth of non-renewable resources and then...
Improving SSL Certificate Security
Given how often I say on this blog that I am not speaking for my employer, I am amused to be able to say for once that I am. Over here.
Share This
ƃuıʇsılʞɔɐlq uʍop-ǝpısd∩
A well-known problem with anonymity is that it allows trolls to ply their unwelcome trade. So, pretty much every decent cryptographic anonymity scheme proposed has some mechanism for blacklisting. Basically these work by some kind of zero-knowledge proof that you aren’t on the blacklist – and once you’ve done that you can proceed.
However, this scheme...
Firesheep: Session Hijacking for Morons
OK, we’ve all known forever that using any kind of credential over an unencrypted connection is a Bad Idea(tm). However, we also know that pretty much every website does an Obi-wan over session cookies, which typically travel over HTTP. “These are not the credentials you are looking for” they tell us.
Firesheep proves that comprehensively wrong....
Experimenting With Client Certificates
I was recently contacted about yet another attempt to use client certificates for authentication. As anyone paying attention knows, this has some attractions but is pretty much unusable in browsers because of their diabolical UIs. So, I was fascinated to learn that this particular demo completely avoids that issue by implementing TLS entirely in Javascript!...
It’s All About Blame
I do not represent my employer in this post.
Eric Schmidt allegedly said
“The only way to manage this is true transparency and no anonymity. In a world of asynchronous threats, it is too dangerous for there not to be some way to identify you. We need a [verified] name service for people. Governments will demand it.”
I...
Nigori: Protocol Details
As promised, here are the details of the Nigori protocol (text version). I intend to publish libraries in (at least) C and Python. At some point, I’ll do a Stupid version, too.
Comments welcome, of course, and I should note that some details are ...
Nigori: Storing Secrets in the Cloud
Lately, I’ve been thinking about phishing. Again. If we want users to take our sensible advice and use different passwords everywhere, then they’ve got to be able to remember those passwords and move them from machine to machine. In order to do that with any ease, we’ve got to store them in the cloud. But...
Selective Disclosure, At Last?
Apparently it’s nearly five years since I first wrote about this and now it finally seems we might get to use selective disclosure.
I’m not going to re-iterate what selective disclosure is good for and apparently my friend Ben Hyde has spared me from the need to be cynical, though I think (I am not a...
