Convergence is a well-thought out system to replace certificate authorities buil

Question

Convergence is a well-thought out system to replace certificate authorities built by Marlin Moxiespike back in 2011.

Since it's debut, it seems to have largely stalled out, with no additional major notaries since the original pair and a total lack of adoption by the major browser vendors.

The most critical piece of the web's encryption infrastructure is fundamentally broken. Not only is it trivial for script kiddies to perform MITM attacks, the lack of web encryption has enabled global dragnet surveillance.

Why has this stalled out and why aren't the major browser vendors competing on this point?

Explanation / Answer

Convergence does not solve a security issue that needed fixing. In practice, evil people who run fake sites for phishing purposes will not bother crafting a fake certificate; rather, they make a non-SSL site, or try to convince the gullible victim that the browser security warning is meaningless. (The same point can be made, and has actually been made, about EV certificates.)

What Convergence tries to fix is a political issue: it is mostly about kicking the established, commercial CA out of the Web business; it is an attempt at replacing traditional business concentration with a somewhat anarchic decentralized system. Unsurprisingly, this is not a powerful enough reason to drive adoption of a new system. Moreover, commercial CA and browser vendors are actually in good terms, and are more inclined to team up against their respective competitors rather than go to war against each other

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.