On Wed, Nov 1, 2017 at 12:18 AM, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote:
This came up on another list, the Comodo CA and all of the roots it controls (which include a pile of other CAs unrelated to Comodo that it's bought up over the years) was recently acquired by Francisco Partners:
http://www.eweek.com/security/francisco-partners-acquires-comodo-s-certifica...
who also have a stake in SonicWall, "the leader in Deep Packet Inspection (DPI) and we've got a lot going on in that space", Procera (same), and formerly had a stake in Blue Coat, whose products have been used by repressive regimes against their citizens.
It's amusing that a perfect mechanism for performing MITM attacks is now controlled by a company who has other arms that actively perform MITM attacks.
It's amusing that root cert bundles are completely filled with governments and corporations and all other manner of third parties which you have no reason to assign any real trust to. CA's are a scam, foisted upon the web industry by marketing, upon users by the nag icon and popups, and upon browsers for inclusion money, and other games... all for one purpose only... the generation of rents over the TLS services back to the CA's themselves, under threat of loss of revenue due to said panic nag reaction if they don't pay up... pure genius. Hook, line, sinker. Now of course the system is being exploited by the above parties, rogues, spies, and criminal hackers alike. TOFU combined with decentralized cert and revocation observatories injected with the occaisional out of band verification, would have been sufficient. We even moreso now have that ability... where perhaps a transaction on a blockchain is a website's cert fingerprint signed by its CEO, and confirmations are perhaps each new matching TOFU from userland.