shit's sure funny, yo
Eugen Leitl
eugen at leitl.org
Fri Oct 28 04:21:22 PDT 2011
(now you can stop worrying, and just kill all built-in CAs
as they're even less trustworthy than snakeoil self-signed certs)
http://www.h-online.com/security/news/item/Further-evidence-of-Certificate-Authority-break-ins-1367856.html
Further evidence of Certificate Authority break-ins
Among other things, the sharp rise in certificate revocations has been caused
by the increased use of encryption technologies. Zoom Source: Electronic
Frontier Foundation (EFF)
In a feature article on the security of SSL, Peter Eckersley from the
Electronic Frontier Foundation has said that at least five Certificate
Authorities (CAs) have been compromised in the past four months. Eckersley
extracted this information from the revocation lists that are released by the
CAs.
These "Certificate Revocation Lists" (CRLs) contain certificates that can no
longer be considered valid. CAs revoke certificates for a variety of reasons
b� for example, when customers close down a business division (cessation of
operation) or lose their secret key (key compromise). What was notable was
the inclusion of 248 cases in the CRLs where the stated reason was that the
responsible Certificate Authority had been compromised. Up to June 2011, only
55 certificates were revoked for this reason. The nearly 200 certificates
that have been revoked since then were issued by five different CAs.
This means that, within only four months, hackers compromised at least five
CAs in order to issue unauthorised certificates. And that is only the
absolute minimum. In the large majority of cases b� over 900,000 in total b�
the CRL issuer chose not to fill in the field where a reason can be given.
Such CA intrusions are problematic because any of the accredited Certificate
Authorities can issue certificates for any web page. Browsers will accept
them without complaint b� and that applies to Gmail as much as to Deutsche
Bank's online banking facility. According to SSL Observatory, our browsers
trust more than 600 CAsPDF in over 50 countries.
See also:
CA DigiNotar bankrupt after SSL certificate debacle, a report from The H.
Fake Google certificate is the result of a hack, a report from The H. Single
hacker claims responsibility for Comodo certificate theft, a report from The
H.
More information about the cypherpunks-legacy
mailing list