Comment Re:KCM vulnerable to MITM from day one (Score 1) 237
Well, you can pre-pin a cert (Google does this with their own properties, for example, and as of Firefox 32, Firefox does it for Mozilla stuff and I think some Google stuff). You can also always manually check a certificate's fingerprint before you send any data over it. That leaves the question of what you check it against, of course, but that's the whole key distribution problem; at some level you have to have a trusted source of key identity.
I really do wish there was more support for TOFU (Trust On First Use) in browsers today, though. For example, I *can* explicitly trust a self-signed certificate for example.com. However, if I later get a different cert for example.com, my browser will simply evaluate it the way it would evaluate any cert (for example, if it's signed by a Chinese government-controlled CA, the browser will trust it unless I've removed trust for that CA). None of the major browsers will stop and say "Hey, that is *NOT* the cert I expect for this site!" the way SSH (or Remote Desktop, for that matter, which also uses TOFU) will. This greatly irks me. Certificates don't change that often, and most of the time it's just an update to the expiration date or adding a new subdomain or something else innocuous like that. Even a change to the public key isn't that big a concern, especially if the old key is revoked; people rotate keys sometimes as a matter of good practice. But a change to the CA, or a change to a pinned leaf node (where I basically said "this shouldn't change"), ought to raise warning flags.