Correction: In the talk I mentioned Chrome has its own root ca store, which is only partly true. On macOS and Windows Chrome uses a blacklist with the underlying OS providing the root CA store. On Linux it uses NSS, which is sometimes the “system” one, but sometimes not.
Links in talk:
- Ken Thompson’s Reflections on Trusting Trust
- OWASP Threat Modeling paper
- OWASP Top Ten Cheat Sheet
- Chattanooga Security and Privacy Society
- David A. Wheeler’s Countering Trusting Trust through Diverse Double-Compiling
ChaDev Lunch Talk Recording