Use a low cost or free SSL provider(read no legal warchest) VIOLATED!

gwen hastings gwen@cypherpunks.to
Fri Oct 4 08:36:47 PDT 2013


So for those of us using the Lower cost tier of SSL cert provider(s) are
definitely hosed at this point(but I figured the NSA had an intermediate
CA in the browser chain someplace,and this is getting to be an old story
and with that Intermediate CA allowed to sign wildcard and same name
certs(in fact with the intermediate CA cert in possession this can be
done on the fly with certain equipment) even private keys correctly
handled(locally generated) fall in the face of this kind of attack. Now
of course I am wondering for folks who knew this and then used the
onsite generator for private key gen as opposed to locally generated
keya via openssl simply had the private key copied off to NSA under the
authority of an NSL.(and given the above scenarios of a MITM cert
generating Intermediate CA does it even matter which way you get fucked?).

      startssl and cheapssl both being US based means a LOT of folks and
FUCKED..
 firefox has a browser plugin to detect changes in the server cert BUT
if all looks plausible MOST of us will click right on through(the SSL
infrastructure and governance being hopelessly broken from any rational
point of view...)

              gwen







-- 
Governments are instituted among men,
 deriving their just powers from the consent of the governed,
that whenever any form of government becomes destructive
of these ends, it is the right of the people to alter or
 abolish it, and to institute new government, laying its
 foundation on such principles, and organizing its powers
 in such form, as to them shall seem most likely to effect
 their safety and happiness.’



More information about the cypherpunks mailing list