that's the link if anyone doesnt prefer to follow the shortened url. http://www.theregister.co.uk/2010/04/06/mysterious_mozilla_apple_certificate... like Mr. Brennen says, this is very bad. i also wonder what the browser policy for major browsers are when a root CA company is acquired by another company. Is trust automatically transfered to the new company? Will the browser keep or revoke these certificates? Sarad. --- On Wed, 4/7/10, V. Alex Brennen <alexbrennen@gmail.com> wrote:
From: V. Alex Brennen <alexbrennen@gmail.com> Subject: Re: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates To: cypherpunks@al-qaeda.net Date: Wednesday, April 7, 2010, 7:37 AM Aside from a man in the middle attack, it's highly possible that browser developers are not doing a very good job of managing and auditing the root ca certificates that they ship included with the browser releases. Further, it's possible that CA's aren't doing a good job of keeping track of what certificates they submit to browser developers.
Take a look at this discussion:
After reading that discussion, I'd be much less surprised to hear that a bogus root ca certificate, even one that fraudulently identified its source as a major trusted ca, was included in a series of browser releases from at least one of the major developers.
- VAB