
Perspectives Project: Connect securely to https websites - ffggvv
https://perspectives-project.org/
======
pmontra
> Perspectives gives users the ability to pick a group they trust (e.g., the
> EFF, Google, their company, their university, their group of friends, etc.)
> and trust no one else.

In a company setting the company is going to be the new certification
authority, because it can configure browsers to use its own notary service. An
ISP could have leverage to configure the browsers of its customers (help
pages, setup apps, etc). A country can mandate using the country's notary, as
some countries mandate installing the state certificate to be able to MITM
https.

It could work if browsers agree to use at least a not small pool of well known
notaries. An adversary should hack many of them and companies and ISP could
not limit users to their own notaries. To have a passable chance to be
enforced those notaries must be hardcoded in the binary. But in some countries
that would lead to mandatory use of browsers patched by the state.

------
jasode
_> Notary servers or groups of notary servers may be operated by public
organizations, private companies, or even individuals._

So "who watches the watchmen"?[1]

It looks like the "notary servers" eventually become another variation of
"certificate authorities" by another name.

If web users rely on a 3rd-party organization (that's not itself a notary
server but only a rating agency), it means that the _rating agency becomes
another variation of CAs_.

Every time I've studied this problem, all roads point back to a _centralized_
trust model. Even if a _technical_ solution to decentralized trust is devised,
a _social_ emergent phenomenon of centralized trust reappears. (Even Bitcoin
with its decentralized aspirations suffered the _social_ phenomenon of
consolidating into pockets of centralized mining pools. Mining was
theoretically democratic/decentralized but the real-world ability to spend
money on GPU cards, then FPGAs, then ASICS is _not decentralized_.)

 _> Just like a user picks which search engine their browser will use, they
user can also choose what group(s) of network notaries they will trust. _

The average web surfer is not going to be going into their browser settings to
adjust notary servers. Computer geeks and sophisticated techs like Bruce
Schneier and Edward Snowden would tweak those hypothetical notary settings but
a billion average users will not do that.

The typical non-tech web surfer is going to outsource the thinking about
"which notary servers?" to somebody else. In response, a new centralized model
overlaid on top of the notary servers would end up serving those users.
Similar to how WebTrust is a reference for CAs.[2]

[1]
[https://en.wikipedia.org/wiki/Quis_custodiet_ipsos_custodes%...](https://en.wikipedia.org/wiki/Quis_custodiet_ipsos_custodes%3F)

[2]
[http://security.stackexchange.com/questions/11464/getting-a-...](http://security.stackexchange.com/questions/11464/getting-
a-root-ca-accepted-in-systems-and-browsers)

~~~
abecedarius
I don't know. Analogously there was a long period when IE dominated, and you
could make a case that the web browser was a natural monopoly, and trying to
compete would at best just end up in a different monopoly. I'm glad someone
went ahead and challenged it anyway. An oligopoly is better for us than a
monopoly; a two-party state is much better than a one-party state; and with a
mechanism in place for competition, a monopolist must act more like a
competitive firm even when the competition remains only potential.

------
aeijdenberg
What benefits does this approach give above those offered by Certificate
Transparency [0]? I was surprised to see no mention of this as related work in
either the linked paper or site FAQ.

[0] [https://www.certificate-transparency.org/](https://www.certificate-
transparency.org/)

~~~
jonquark
I think it predates CT (note that the papers linked on the website are from
2008).

------
jonquark
I like the idea and I've installed the add-on, but at the moment the notary
servers are too unreliable. The default list of notary servers fail quorum as
most don't seem to respond/be up to date. I've seen other lists of servers
(e.g. in the comments on the Firefox add-on page) but again, the servers
listed there aren't consistently responsive.

It does occur to me that I could be being Man-In-The-Middle'd but I don't
_think_ so (well I would, wouldn't I ;)

I'm currently using this list instead of the default list:

perspectives1.schulte.org:8080 \-----BEGIN PUBLIC KEY-----
MIHKMA0GCSqGSIb3DQEBAQUAA4G4ADCBtAKBrAF9YhEaUx+MR/9dw/ceF5+DAmTm
KRylGYKz+rfLSKMS1PMfkGiXVB12qkGOj321PrphLs2s9KWLcxHnCwJdQWcg2xIA
VQbZ2I5me2PEJNC+1Y9nqPR6AeKEljDPK/A1KiTjwDGjpvru8Djp25q++VJjhUZG
y0Wq845LMMUbQGefh05IL4Y9vuMWRUjs0C6enkI5CnCcMIFD1uY5+rsqknw1Nthn
2ZhTVfcjxTsCAwEAAQ== \-----END PUBLIC KEY-----

perspectives2.schulte.org:8080 \-----BEGIN PUBLIC KEY-----
MIHKMA0GCSqGSIb3DQEBAQUAA4G4ADCBtAKBrAGcQwe1IeEnF/ZobSywrpzbv6Uw
sZyxU7WThAaJ1EKy7UIYSrcJ6v/qurFwn9DwR8hxpXCgE8MRZdfVi99z69VE0Nmw
6vHLuC0PKQ/m3Gc+4LzfEyJ/fsPFsTsSqwog+ys8ehvCifoazewyLAZvVfBW3TVZ
uv7REooR5rWVrkI05z/VLpY9eSanWxaBJikHE3AnfOocI60ZIvq2eftIkpqCppwr
AZtwGtmxHa0CAwEAAQ== \-----END PUBLIC KEY-----

perspectives3.schulte.org:8080 \-----BEGIN PUBLIC KEY-----
MIHKMA0GCSqGSIb3DQEBAQUAA4G4ADCBtAKBrAG0L5/mnLvIjQbD6yazszjVBWCb
K7iUiav/M/9qoph2s1Nd2HSbEa2pZsNTtRrPNd2uPkYPGjkuhv5Ba3AMezN4eeEJ
pxa0wBSuYX7deUcQCu+0W/tLXZ61ny/Ezu/mnAQ10HIiO7mQnDTliF4ReSWC9TuR
axLr1tEh3i/pRoSOCtcWIR5y59BYu+GiPHl9IDOBraTG0R9ph+3fDVtf+kd+WUVv
/d0tWI0UmGsCAwEAAQ== \-----END PUBLIC KEY-----

perspectives4.schulte.org:8080 \-----BEGIN PUBLIC KEY-----
MIHKMA0GCSqGSIb3DQEBAQUAA4G4ADCBtAKBrAF+1OV01dpujDpFoUtld37Pgy4/
67E7EFB7YyHkfQbTuPnfZ2+UNScl80vcmN1hym8XJ0icPahah+SXMLq81UNxO6Xq
4s/41C5IxjnZN2Ij3EvhSPQ9HrK9+CVUmLWTWQRG7t5JaKGdlmYc5Fou1/SMoURZ
z4LWWGwcYH5/DcBt64XL5c87v4g3mfCDptmFMg5Cy34uG+XEh0obvp5S+uuORwn1
agGH5DYpR1sCAwEAAQ== \-----END PUBLIC KEY-----

notary2.qabs.cz:8080 \-----BEGIN PUBLIC KEY-----
MIHKMA0GCSqGSIb3DQEBAQUAA4G4ADCBtAKBrAGYNrXeOuExUPjrwisreOZ67ZTT
xaPVLncYrVrvE2Q3KzAqVvGlhyxZMnSLlHlHD5BJsA3bM/15ForpH/dJL+GnONZY
sQdgVdDXH30231bImuOzqBNCqMsTB4hxg9U6a1J4h7sa1eOn5Zz1EbDGuW2+jEcE
0MjqpaYEEW7FZiZOIJQRz4jX26zfGGhtd7txfkZQ26lhiibo9auCxp1tnVJmBX2S
VisNlAuuLM8CAwEAAQ== \-----END PUBLIC KEY-----

Edit: removed servers that I just noticed were usually dissenting in the
quorum. - So an attacker wouldn't have to MITM many extra domains with that
list.

------
profmonocle
> with Perspectives the browser validates a certificate by checking for
> consistency with the certificates observed by the network notaries over
> time.

It sounds like this could make it risky to change your certificates. And if
different notaries behave differently, that could become a huge headache.

~~~
cm2187
Also it may not be capable to catch a MITM close to the source of the server,
as most notaries will be MITM too (think an Iranian server when there are no
Iranian notaries with Iran doing MITM).

For the same reason, not sure how it will protect the notaries themselves.
What if my state controlled ISP MITM both my https connection and all
connections to the notaries.

~~~
dgacmu
Not a long-term one, no. A short term change would be detected. We envisioned
that site owners could monitor the keys reported by perspectives to detect
such attacks.

