nanog mailing list archives
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
From: Martin Millnert <millnert () gmail com>
Date: Mon, 12 Sep 2011 16:09:43 +0200
Steinar, On Sun, Sep 11, 2011 at 8:12 PM, <sthaug () nethelp no> wrote:
To pop up the stack a bit it's the fact that an organization willing to behave in that fashion was in my list of CA certs in the first place. Yes they're blackballed now, better late than never I suppose. What does that say about the potential for other CAs to behave in such a fashion?I'd say we have every reason to believe that something similar *will* happen again :-(
Something similar, including use of purchased (not only limited to stolen certs), is ongoing already, all of the time. (I had a fellow IRC-chat-friend report from a certain very western-allied middle eastern country that there's ISP/state-scale SSL-MITM ongoing there, for all https traffic.) The comment on starting out with an empty /etc/ssl is valid. Most of the normally included CA's you almost never run into on the wild web anyway. There were some blog postings about this last time a CA was busted. Shave off 90% of them and you have at least come a bit on the way (goal 100%). The absence of proof is *not* proof of absence, and in this particular case it's pretty safe to assume some abuse is ongoing somewhere, 24/7. Cheers, Martin
Current thread:
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates, (continued)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Dan White (Sep 09)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Heinrich Strauss (Sep 10)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Jimmy Hess (Sep 10)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Jimmy Hess (Sep 09)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 10)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Michael Painter (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Cameron Byrne (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Bjørn Mork (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Joel jaeggli (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates sthaug (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Martin Millnert (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates Damian Menscher (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Joe Greco (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Marcus Reid (Sep 11)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Valdis . Kletnieks (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases fredrik danerklint (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Måns Nilsson (Sep 12)
- Re: Microsoft deems all DigiNotar certificates untrustworthy, releases Tony Finch (Sep 12)