[conspire] Fraudulent SSL certs for *.google.com from DigiNotar

Edward Cherlin echerlin at gmail.com
Tue Aug 30 19:58:52 PDT 2011


On Tue, Aug 30, 2011 at 02:26, Rick Moen <rick at linuxmafia.com> wrote:

> Anyway, my larger point about SSL certs is simply that the whole CA
> model is deeply broken.  This whole idea that you should believe a
> displayed Web site is your bank just because your browser elects to
> believe a cert (which is in turn may be because it elects to a
> fraudulent cert signed by the likes of Comodo or DigiNotar) has _never_
> made sense, but two successive meltdowns have proven that point past all
> doubt.
>
> So, I'm saying:  _Wake up, people!_  A 'lock' icon is not good enough
> reason to trust your credit cards, banking, health records, etc. to a
> Web page.

I once had a contract with VeriSign to write documentation on their
Public Key Infrastructure API and other such things, and I have looked
into many other security systems. The fact is that _nothing_ is good
enough to trust anything with, given the widespread incompetence and
malfeasance of supposed security experts. The CryptoAG case was the
worst, DRM in general is the least competent, and Ron Harris, from the
Las Vegas gambling regulators, caught cheating in New Jersey, was the
funniest, but everybody is vulnerable. The best you can do is to
balance risks, which you can only do if you know what they are.

http://mediafilter.org/caq/cryptogate/

And yet, they are still in business.

http://www.crypto.ch/
Crypto AG is the preferred top-security partner for civilian and
military authorities worldwide. Security is our business and will
always remain our business.

http://listverse.com/2010/01/24/10-gamblers-who-beat-the-casino/
In January, 1995 Reid Errol McNeal defied roughly 1 million to 1 odds
and hit a monster keno jackpot of $100,000 at Bally’s Park Place
Casino Resort in Atlantic City, New Jersey. What aroused suspicion of
officials was that he showed very little emotion, did not have
identification on him, and asked to be paid in cash.

New Jersey law requires jackpots of over $35,000 to be verified by
state gaming officials, and when they arrived at the casino they went
up to McNeal’s hotel room with two state troopers. There they also
found Ron Harris, who said he was a friend of McNeal. When McNeal went
downstairs with the officials to answer questions he told them that
Harris was a computer technician for the Nevada Gaming Control Board,
which regulates gaming in Las Vegas. When officials went back to the
room to search, Harris was gone but they found computer equipment and
books and notes detailing how Bally’s random number generator could be
beaten.

Three can keep a secret, if two of them are dead.--Ben Franklin, Poor
Richard's Almanac

The best advice I know is never to put data on the Internet unless you
are willing to see it published on the front page of the New York
Times. Not just Usenet postings that are publicly available to search
on Google, _anything_.

-- 
Edward Mokurai (默雷/धर्ममेघशब्दगर्ज/دھرممیگھشبدگر ج) Cherlin
Silent Thunder is my name, and Children are my nation.
The Cosmos is my dwelling place, the Truth my destination.
http://wiki.sugarlabs.org/go/Replacing_Textbooks




More information about the conspire mailing list