So for those of us using the Lower cost tier of SSL cert provider(s) are definitely hosed at this point(but I figured the NSA had an intermediate CA in the browser chain someplace,and this is getting to be an old story and with that Intermediate CA allowed to sign wildcard and same name certs(in fact with the intermediate CA cert in possession this can be done on the fly with certain equipment) even private keys correctly handled(locally generated) fall in the face of this kind of attack. Now of course I am wondering for folks who knew this and then used the onsite generator for private key gen as opposed to locally generated keya via openssl simply had the private key copied off to NSA under the authority of an NSL.(and given the above scenarios of a MITM cert generating Intermediate CA does it even matter which way you get fucked?). startssl and cheapssl both being US based means a LOT of folks and FUCKED.. firefox has a browser plugin to detect changes in the server cert BUT if all looks plausible MOST of us will click right on through(the SSL infrastructure and governance being hopelessly broken from any rational point of view...) gwen -- Governments are instituted among men, deriving their just powers from the consent of the governed, that whenever any form of government becomes destructive of these ends, it is the right of the people to alter or abolish it, and to institute new government, laying its foundation on such principles, and organizing its powers in such form, as to them shall seem most likely to effect their safety and happiness.’