MonkeySphere – Using OpenPGP to Route Around Broken Web Security Model

The Monkeysphere Project is a project to use OpenPGP to securely identify servers in web browsers and elsewhere that routes around the growing potential problems with certificate authentication. As The Monkeysphere website sums it up,

Everyone who has used a web browser has been interrupted by the “Are you sure you want to connect?” warning message, which occurs when the browser finds the site’s certificate unacceptable. But web browser vendors (e.g. Microsoft or Mozilla) should not be responsible for determining whom (or what) the user trusts to certify the authenticity of a website, or the identity of another user online. The user herself should have the final say, and designation of trust should be done on the basis of human interaction. The Monkeysphere project aims to make that possibility a reality.

. . .

When you direct the browser to an https site using the Monkeysphere plugin and validation agent, if the certificate presented by the site does not pass the default browser validation (using standard, hierarchical X.509), the certificate and site URL are passed to the validation agent. The agent then checks the public keyservers for keys with UIDs matching the site url (e.g. If there is a trust path to that key, according to your own OpenPGP trust designations, the certficate is considered valid, and a browser ‘security exception’ is put in place to allow connections to the site.

Leave a Reply