On Tue, Jun 5, 2012 at 2:51 AM, R|diger Koch <rudiger.koch@googlemail.com> wrote:

http://news.slashdot.org/story/12/06/04/1211206/microsoft-certificate-was-us...

SSL and CAs being completely b0rked out of the gate and all that... #include Moxie Marlinspike's talk last summer.

imagine such an incident in something that's really important - such as a payment infrastructure. I think this goes to show that *anything* that relies on trust authorities must be avoided like the plague.

Centralized SSL authorities being compromised has been a problem for nearly five years now. Plus, there is no way of knowing how many "*.*" certs are floating around out there because they're just files that can be copied. Also, there are CAs which will sell *.* MITM-capable certs to whomever is willing to pay for them because they are then loaded into "loss prevention" devices to look for data exfiltration. So, on that front the battle's already lost because one corporation's MITM cert is another's surveillance tool. Has convergance.io gotten any easier to use, or does it still have a certificate-hairball heart attack the first time one runs a Google search? -- The Doctor [412/724/301/703] [ZS] https://drwho.virtadpt.net/ "I am everywhere." -- Zero State mailing list: http://groups.google.com/group/DoctrineZero ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE