Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL certificates
Sarad AV
jtrjtrjtr2001 at yahoo.com
Tue Apr 6 22:01:01 PDT 2010
that's the link if anyone doesnt prefer to follow the shortened url.
http://www.theregister.co.uk/2010/04/06/mysterious_mozilla_apple_certificate/
like Mr. Brennen says, this is very bad. i also wonder what the browser policy
for major browsers are when a root CA company is acquired by another company.
Is trust automatically transfered to the new company? Will the browser keep or
revoke these certificates?
Sarad.
--- On Wed, 4/7/10, V. Alex Brennen <alexbrennen at gmail.com> wrote:
> From: V. Alex Brennen <alexbrennen at gmail.com>
> Subject: Re: Fwd: [ PRIVACY Forum ] Surveillance via bogus SSL
certificates
> To: cypherpunks at al-qaeda.net
> Date: Wednesday, April 7, 2010, 7:37 AM
> Aside from a man in the middle
> attack, it's highly possible that
> browser developers are not doing a very good job of
> managing and
> auditing the root ca certificates that they ship included
> with the
> browser releases. Further, it's possible that CA's
> aren't doing a
> good job of keeping track of what certificates they submit
> to browser
> developers.
>
> Take a look at this discussion:
>
> http://bit.ly/a7b04A
>
> After reading that discussion, I'd be much less surprised
> to hear that
> a bogus root ca certificate, even one that fraudulently
> identified its
> source as a major trusted ca, was included in a series of
> browser
> releases from at least one of the major developers.
>
>
> - VAB
More information about the Testlist
mailing list