nanog mailing list archives
Re: The state-level attack on the SSL CA security model
From: Dan White <dwhite () olp net>
Date: Thu, 24 Mar 2011 09:59:14 -0500
On 24/03/11 10:09 -0400, Harald Koch wrote:
On 3/23/2011 11:05 PM, Martin Millnert wrote:To my surprise, I did not see a mention in this community of the latest proof of the complete failure of the SSL CA model to actually do what it is supposed to: provide security, rather than a false sense of security.This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place.
The point is that the 'short amount of time' should have been zero (from the time of the update of the CRL) which would have allowed an immediate announcement of the revocation to the public, with sufficient details for the public to make educated decisions about their internet usage. But because the CRL publication did not facilitate that, due to whatever deficiency there existed in the procotol or in browser implementations, announcement had to be delayed, providing a small group of attackers a larger window than necessary to compromise information. -- Dan White
Current thread:
- Re: The state-level attack on the SSL CA security model, (continued)
- Re: The state-level attack on the SSL CA security model Martin Millnert (Mar 25)
- Re: The state-level attack on the SSL CA security model Steven Bellovin (Mar 25)
- Re: The state-level attack on the SSL CA security model Joe Sniderman (Mar 25)
- Re: The state-level attack on the SSL CA security model Franck Martin (Mar 25)
- Re: The state-level attack on the SSL CA security model Steven Bellovin (Mar 26)
- Re: The state-level attack on the SSL CA security model Christopher Morrow (Mar 24)
- Re: The state-level attack on the SSL CA security model Leif Nixon (Mar 24)
- Re: The state-level attack on the SSL CA security model Tony Finch (Mar 24)
- Re: The state-level attack on the SSL CA security model Richard Barnes (Mar 24)
- Re: The state-level attack on the SSL CA security model Dan White (Mar 24)
- Re: The state-level attack on the SSL CA security model Brian Keefer (Mar 24)
- Re: The state-level attack on the SSL CA security model Danny O'Brien (Mar 24)