Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

[Martin Millnert <millnert () gmail com>]

Steinar,

On Sun, Sep 11, 2011 at 8:12 PM,  <sthaug () nethelp no> wrote:
> > To pop up the stack a bit it's the fact that an organization willing to
> > behave in that fashion was in my list of CA certs in the first place.
> > Yes they're blackballed now, better late than never I suppose. What does
> > that say about the potential for other CAs to behave in such a fashion?
>
> I'd say we have every reason to believe that something similar *will*
> happen again :-(

Something similar, including use of purchased (not only limited to
stolen certs), is ongoing already, all of the time.  (I had a fellow
IRC-chat-friend report from a certain very western-allied middle
eastern country that there's ISP/state-scale SSL-MITM ongoing there,
for all https traffic.)

The comment on starting out with an empty /etc/ssl is valid.  Most of
the normally included CA's you almost never run into on the wild web
anyway. There were some blog postings about this last time a CA was
busted. Shave off 90% of them and you have at least come a bit on the
way (goal 100%).

The absence of proof is *not* proof of absence, and in this particular
case it's pretty safe to assume some abuse is ongoing somewhere, 24/7.

Cheers,
Martin