[conspire] Fraudulent SSL certs for *.google.com from DigiNotar
Rick Moen
rick at linuxmafia.com
Mon Aug 29 23:26:31 PDT 2011
Quoting Edward Cherlin (echerlin at gmail.com):
> Thanks, Rick. Clear and concise as usual, and extremely helpful. I had
> part of the story from my son Clement earlier, but this makes much
> more sense than what had come to him.
Yr. very welcome.
> I am personally running nightly builds of Aurora, because of massive
> memory leaks ("zombie compartments" for JavaScript) in Firefox. 9.0a1
> just popped up while I was writing this. I'll install it right after I
> click Send.
Aha! See, I'm behind the news on Web browsers, again. Firefox Aurora
turns out to be Mozilla Foundation's new test platform, announced
mid-April, more solid than nightly builds (sometimes called 'Mozilla
Minefield') that are (these days) referred to primarily as 'Firefox
Beta', but not as stable as official Firefox pre-releases. Firefox
Aurora was launched at the same time as the Mozilla Labs Initiative,
their new incubator site for development projects: https://mozillalabs.com/
Firefox own Aurora's site: http://www.mozilla.org/en-US/firefox/channel/
Not to be confused with the Russian Empire Navy cruiser Aurora that
fired the October Revolution's first shots in Petrograd. ;->
http://www.aurora.org.ru/
> On an almost, but not quite completely unrelated note, does anybody
> remember the skrode rider in Fire Upon the Deep commenting on Pham
> Nuyen's touchingly naive trust in public key cryptography (in the near
> vicinity of weakly-Godlike Powers in the Transcend)? The skrode rider
> couple was in the business of bulk transport of one-third unXORs of
> one-time pads, and their cargo had just lost all value through contact
> with puppets of the Ancient Evil when...but that would be telling.
> Also Vinge nails the vagaries of a Galaxy-spanning Usenet.
>
> Or the takedown of a major CA, Credit Suisse, in Rainbows End, just to
> get at a wascally wabbit?
Yes to both. I'm a major Vernor Vinge fan, and of course got a kick out
of both.
FYI, Vinge has written a sequel to _A Fire Upon the Deep_, _The Children
of the Sky_, set on the Tines world. Due out in October.
http://blogs.publishersweekly.com/blogs/genreville/?p=1389
http://www.fantasybookcafe.com/2011/06/guest-review-of-the-children-of-the-sky-by-vernor-vinge/
(Preordering? Do it through Kepler's, please, not some Voldermort clone
corporation named for a South American river:
http://www.keplers.com/book/9780312875626 )
Anyway, my larger point about SSL certs is simply that the whole CA
model is deeply broken. This whole idea that you should believe a
displayed Web site is your bank just because your browser elects to
believe a cert (which is in turn may be because it elects to a
fraudulent cert signed by the likes of Comodo or DigiNotar) has _never_
made sense, but two successive meltdowns have proven that point past all
doubt.
So, I'm saying: _Wake up, people!_ A 'lock' icon is not good enough
reason to trust your credit cards, banking, health records, etc. to a
Web page.
More information about the conspire
mailing list