[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Microsoft deems all DigiNotar certificates untrustworthy, releases updates
- Subject: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
- From: millnert at gmail.com (Martin Millnert)
- Date: Mon, 12 Sep 2011 16:09:43 +0200
- In-reply-to: <[email protected]>
- References: <CAAAwwbUqiRnJws_hi=5at4uN-cn+qq7PqsYSeWO_OizQkrVyrA@mail.gmail.com> <CABSP1Ofnjj27TsA=U4zs7-tpU67pbysSVFygD=WYtJwyTXzDWw@mail.gmail.com> <[email protected]> <[email protected]>
Steinar,
On Sun, Sep 11, 2011 at 8:12 PM, <sthaug at nethelp.no> wrote:
>> To pop up the stack a bit it's the fact that an organization willing to
>> behave in that fashion was in my list of CA certs in the first place.
>> Yes they're blackballed now, better late than never I suppose. What does
>> that say about the potential for other CAs to behave in such a fashion?
>
> I'd say we have every reason to believe that something similar *will*
> happen again :-(
Something similar, including use of purchased (not only limited to
stolen certs), is ongoing already, all of the time. (I had a fellow
IRC-chat-friend report from a certain very western-allied middle
eastern country that there's ISP/state-scale SSL-MITM ongoing there,
for all https traffic.)
The comment on starting out with an empty /etc/ssl is valid. Most of
the normally included CA's you almost never run into on the wild web
anyway. There were some blog postings about this last time a CA was
busted. Shave off 90% of them and you have at least come a bit on the
way (goal 100%).
The absence of proof is *not* proof of absence, and in this particular
case it's pretty safe to assume some abuse is ongoing somewhere, 24/7.
Cheers,
Martin