The standard way to avoid cross-protocol attacks is now to use ALPN In the TLS handshake.

Of course, actually deploying this in practice turns out to be a lot harder than it sounds, which I'll get to in the next post.

educatedguesswork.org/posts/transp...

3. Site operators can then download all certificates, make sure they match the consensus, and then check for bogus certificates in their name. Mission accomplished.

If all goes well, this gives you a closed loop that makes it impossible to surreptitiously issue a certificate. 1. The consensus system requires the CA to commit to all its certificates. 2. Clients verify that certificates have been committed to.

The post has more detail, but the idea behind the proof is to show that there is a path from your certificate back to the root of the true, thus demonstrating that the tree was computed over your certificate.

Finally, when you go to the Web server, it proves that it's certificate matches the summary. What this means technically is that it gives you a Merkle inclusion proof that goes back to the root.

Next, you need some mechanism whereby each element in the system can assure itself that it has the same summary as everyone else (this is actually the hard part).

The standard solution here is what's called a consensus system. Effectively, you compute a summary of all the published certificates (typically by assembling them into a Merkle hash tree).

For instance, if the CA has it on their web site and sends it to clients but not to sites when they check, then the system breaks down.

The first step is to have the client (i.e., the browser) check that the certificate was published, thus hopefully forcing the CA to publish it. But now we have to confront the definition of "publish". How do we know the CA published to everyone?

The challenge here is ensuring that CAs are actually publishing every certificate. If your concern is that the CA was intentionally misissuing, it might just choose not to publish the bogus certificate.

A misissued certificate can be revoked, and, if investigation reveals improper practices, browsers might choose to distrust the CA, thus rendering all of its certificates invalid.

The basic idea is to require every certificate has to be published, thus allowing sites -- or services on their behalf -- to detect (at least in principle) when a certificate has been misissued

The solution that the ecosystem has converged on is something called a "transparency system", and in the case of the WebPKI "certificate transparency". Instead of trying to prevent misbehavior by CAs, a transparency system tries to make it detectable.

When paired with some fairly public failures by WebPKI certificate authorities, this creates an obvious problem.

Most real-world authentication protocols rely on some kind of trusted authentication service to attest to endpoint identities. The obvious problem here is the word "trusted"; if the authentication service misbehaves, then the whole system breaks down.