[conspire] Fraudulent SSL certs for *.google.com from DigiNotar

Rick Moen rick at linuxmafia.com
Mon Aug 29 23:26:31 PDT 2011


Quoting Edward Cherlin (echerlin at gmail.com):

> Thanks, Rick. Clear and concise as usual, and extremely helpful. I had
> part of the story from my son Clement earlier, but this makes much
> more sense than what had come to him.

Yr. very welcome.

> I am personally running nightly builds of Aurora, because of massive
> memory leaks ("zombie compartments" for JavaScript) in Firefox. 9.0a1
> just popped up while I was writing this. I'll install it right after I
> click Send.

Aha!  See, I'm behind the news on Web browsers, again.  Firefox Aurora 
turns out to be Mozilla Foundation's new test platform, announced
mid-April, more solid than nightly builds (sometimes called 'Mozilla
Minefield') that are (these days) referred to primarily as 'Firefox
Beta', but not as stable as official Firefox pre-releases.  Firefox
Aurora was launched at the same time as the Mozilla Labs Initiative,
their new incubator site for development projects:  https://mozillalabs.com/  
Firefox own Aurora's site:  http://www.mozilla.org/en-US/firefox/channel/

Not to be confused with the Russian Empire Navy cruiser Aurora that
fired the October Revolution's first shots in Petrograd.  ;->
http://www.aurora.org.ru/

> On an almost, but not quite completely unrelated note, does anybody
> remember the skrode rider in Fire Upon the Deep commenting on Pham
> Nuyen's touchingly naive trust in public key cryptography (in the near
> vicinity of weakly-Godlike Powers in the Transcend)? The skrode rider
> couple was in the business of bulk transport of one-third unXORs of
> one-time pads, and their cargo had just lost all value through contact
> with puppets of the Ancient Evil when...but that would be telling.
> Also Vinge nails the vagaries of a Galaxy-spanning Usenet.
> 
> Or the takedown of a major CA, Credit Suisse, in Rainbows End, just to
> get at a wascally wabbit?

Yes to both.  I'm a major Vernor Vinge fan, and of course got a kick out
of both.  

FYI, Vinge has written a sequel to _A Fire Upon the Deep_, _The Children
of the Sky_, set on the Tines world.  Due out in October.
http://blogs.publishersweekly.com/blogs/genreville/?p=1389
http://www.fantasybookcafe.com/2011/06/guest-review-of-the-children-of-the-sky-by-vernor-vinge/

(Preordering?  Do it through Kepler's, please, not some Voldermort clone
corporation named for a South American river:
http://www.keplers.com/book/9780312875626 )


Anyway, my larger point about SSL certs is simply that the whole CA
model is deeply broken.  This whole idea that you should believe a
displayed Web site is your bank just because your browser elects to
believe a cert (which is in turn may be because it elects to a
fraudulent cert signed by the likes of Comodo or DigiNotar) has _never_
made sense, but two successive meltdowns have proven that point past all
doubt.

So, I'm saying:  _Wake up, people!_  A 'lock' icon is not good enough
reason to trust your credit cards, banking, health records, etc. to a
Web page.  







More information about the conspire mailing list