6 Apr
2010
6 Apr
'10
10:34 p.m.
Aside from a man in the middle attack, it's highly possible that browser developers are not doing a very good job of managing and auditing the root ca certificates that they ship included with the browser releases. Further, it's possible that CA's aren't doing a good job of keeping track of what certificates they submit to browser developers. Take a look at this discussion: http://bit.ly/a7b04A After reading that discussion, I'd be much less surprised to hear that a bogus root ca certificate, even one that fraudulently identified its source as a major trusted ca, was included in a series of browser releases from at least one of the major developers. - VAB