[Cryptography] hard to trust all those root CAs

grarpamp grarpamp@gmail.com
Sat Jul 19 22:45:35 PDT 2014


On Sat, Jul 19, 2014 at 5:03 PM, John Denker <jsd@av8n.com> wrote:
> AFAICT, a lot of existing protocols were designed to resist
> passive eavesdropping.  In contrast, the idea of large-scale
> MITM attacks was sometimes considered tin-foil-hat paranoia.
> To this day, standard Ubuntu Firefox trusts 162 different
> authorities (including the Hong Kong Post Office) to certify
> /anything and everything/.
>
> In the /usr/share/ca-certificates/mozilla directory, only one
> of 163 root certificates has any v3 Name Constraints at all.
> Why Ubuntu and Firefox tolerate this is beyond me; I can
> understand trusting Microsoft to sign Microsoft-related stuff,
> but allowing them to sign /anything and everything/ ?!????!!

The mozilla bundle includes about 150. It would be nice if the
new cert observatoris publish a count of how many end certs
they see each root cert covers... a topN list of sorts. Then you
could save some time by including the N of your choice into your
'empty by default' list. I think the distribution would be severly
skewed to maybe top 10 or 15 covers most any place.



More information about the cypherpunks mailing list