[conspire] Critical browser-certificate problem
Adam Cozzette
acozzette at cs.hmc.edu
Wed Mar 23 19:38:40 PDT 2011
On Wed, Mar 23, 2011 at 03:12:47PM -0700, Rick Moen wrote:
> Comodo, which was provably negligent, attempts to say 'We're merely a
> victim!' Don't look at us. Look at those evil people in Iran.' They
> also claim that the system worked because when informed of their screwup
> they added the nine fraudulent certs to their current Certification
> Revocation List -- a claim the article I mentions in the previous post
> is at pains to explain is utter bullshit, as that process doesn't work
> in the real world.
I'm inclined to give Comodo at least a little bit of credit, though. From the
article here
(https://blog.torproject.org/category/tags/ssl-tls-ca-tor-certificates-torbrowser):
"Both vendors [Google and Mozilla?] expressed that the CA in question had done
something quite remarkable by disclosing this compromise. The incentives may not
be in the favor of the CA for disclosure. Many CAs may fall to similar attacks
and simply refuse to disclose."
I wonder how often this has happened before with CA's just not noticing, or
worse, noticing but keeping quiet.
--
Adam Cozzette
Harvey Mudd College Class of 2012
More information about the conspire
mailing list