Re: The state-level attack on the SSL CA security model

[Joakim Aronius <joakim () aronius se>]

* George Herbert (george.herbert () gmail com) wrote:
> Back on original point - if the *actual effective* model of browser
> security is browsers with an internal revoked cert list - then there's
> a case to be made that a pre-announcement in private to the browser
> vendors, enough time for them to spin patches, and then widespread
> public discussion is the most responsible model approach.  The public
> knowing before their browser knows how to handle the bad cert isn't
> helpful, unless you can effectively tell people how to get their
> browser to actually go verify every cert.

No. In the case of a remote exploitable hole in the client OS I agree, then the user can do nothing and will benefit if 
there is a patch before the knowledge of the problem is spread. But in this case it is a security hole in the server 
side. IF users are informed they can avoid using the service and thus avoid the risk. (And if the risk is to be on the 
wrong end of a stick, at least I would appreciate a warning.)

So what about a general warning that secure communication with site X, Y and Z could be compromised? Maybe even a big 
warning on the sites themself to give a warning before you login? (It could be removed by a 'man in the middle', but it 
would spread the word.)

I wonder why that didn't happen..

/J