The security of SSL/TLS is built on a rickety scaffolding of trust. At the core of this system is an ever growing number of Certificate Authorities that most people (and software) take for granted. Recent attacks have exploited this inherent trust to covertly intercept, monitor and manipulate supposedly secure communications. These types of attack endanger everyone, especially when they remain undetected. Unfortunately, there are few tools that non-technical humans can use to verify that their HTTPS traffic is actually secure.
We will present our research into the technical and political problems underlying SSL/TLS. We will also demonstrate a tool, currently called “Canary”, that will allow all types users to validate the digital certificates presented by services on the Internet.