[conspire] Oh, Diginotar, no!

Rick Moen rick at linuxmafia.com
Tue Oct 18 13:32:16 PDT 2011

Quoting Paul Zander (paulz at ieee.org):

> Article from BBC, 
>      Web commerce hack attack may 'happen again'.  
>      The problem of what to do when certificate issuers were
>      compromised never came up when the original work was being
>      done on SSL/TLS, said Dr Elgamal.
>      "Nobody asked the question of what to do if a 
>      certificate authority turns out to be bad," he said. 
> Full article at: 
> http://www.bbc.co.uk/news/technology-15348821

It's a good article as far as it goes.  Two points:

1.  Don't expect any prepackaged solution to the problem of unreliable
certificate authorities, for the foreseeable future.  _You_ need to
independently be a type of certificate authority.  That's my preferred
brand of solution.  Personally, I am so far finding it sufficient to run
a browser extension that notifies me whenever an SSL cert or its
attestation has changed.  And there are other approaches worth
considering for SSL vetting, such as the Convergence and Monkeysphere 

2.  The bit in the latter paragraphs about upgrades to TLS (to less
gimmicable later revision TLS 1.2) is correct but of relatively minor 
importance.  The 'attack' the author refers to isn't really very
practical.  In any event, if users leave the warnings about mixed
SSL/non-SSL content enabled (in Firefox:  Preferences, Security, Warning
Messages, "I'm about to view an encrypted page that contains some
unencrypted information'), and make sure they understand anything
generating those messages, that attack cannot work at all.

More information about the conspire mailing list