nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: The state-level attack on the SSL CA security model

From: Joakim Aronius <joakim () aronius se>
Date: Thu, 24 Mar 2011 11:19:47 +0100
* Dobbins, Roland (rdobbins () arbor net) wrote:


On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote:


Announcing this high and loud even before fixes were available would not have exposed more users to threats, but 
less.



An argument against doing this prior to fixes being available is that miscreants who didn't know about this 
previously would be alerted to the possibility of using one of these certs (assuming they could get their hands on 
one) in conjunction with name resolution manipulation.


The fix here is to delete the compromised UID and revoke the certs, thats done immediately, then inform the public, no 
reason to wait after that. IF the speculations about a specific nation is true then there is a risk that people there 
run real (like physical) risks by using e.g. yahoo the last few days. They would have appreciated being informed.


Note that announcing this prior to fixes would've dramatically increased the resale value of these certificates in 
the underground economy, making them much more attractive/lucrative.

Why? Surely the value of stolen certs are higher if the public do not know that they exist.

/Joakim
Previous By Date Next
Previous By Thread Next

Current thread: