shit's sure funny, yo
(now you can stop worrying, and just kill all built-in CAs as they're even less trustworthy than snakeoil self-signed certs) http://www.h-online.com/security/news/item/Further-evidence-of-Certificate-A... Further evidence of Certificate Authority break-ins Among other things, the sharp rise in certificate revocations has been caused by the increased use of encryption technologies. Zoom Source: Electronic Frontier Foundation (EFF) In a feature article on the security of SSL, Peter Eckersley from the Electronic Frontier Foundation has said that at least five Certificate Authorities (CAs) have been compromised in the past four months. Eckersley extracted this information from the revocation lists that are released by the CAs. These "Certificate Revocation Lists" (CRLs) contain certificates that can no longer be considered valid. CAs revoke certificates for a variety of reasons b for example, when customers close down a business division (cessation of operation) or lose their secret key (key compromise). What was notable was the inclusion of 248 cases in the CRLs where the stated reason was that the responsible Certificate Authority had been compromised. Up to June 2011, only 55 certificates were revoked for this reason. The nearly 200 certificates that have been revoked since then were issued by five different CAs. This means that, within only four months, hackers compromised at least five CAs in order to issue unauthorised certificates. And that is only the absolute minimum. In the large majority of cases b over 900,000 in total b the CRL issuer chose not to fill in the field where a reason can be given. Such CA intrusions are problematic because any of the accredited Certificate Authorities can issue certificates for any web page. Browsers will accept them without complaint b and that applies to Gmail as much as to Deutsche Bank's online banking facility. According to SSL Observatory, our browsers trust more than 600 CAsPDF in over 50 countries. See also: CA DigiNotar bankrupt after SSL certificate debacle, a report from The H. Fake Google certificate is the result of a hack, a report from The H. Single hacker claims responsibility for Comodo certificate theft, a report from The H.
participants (1)
-
Eugen Leitl