nanog mailing list archives
Re: The state-level attack on the SSL CA security model
From: Joakim Aronius <joakim () aronius se>
Date: Fri, 25 Mar 2011 12:27:48 +0100
* George Herbert (george.herbert () gmail com) wrote:
Back on original point - if the *actual effective* model of browser security is browsers with an internal revoked cert list - then there's a case to be made that a pre-announcement in private to the browser vendors, enough time for them to spin patches, and then widespread public discussion is the most responsible model approach. The public knowing before their browser knows how to handle the bad cert isn't helpful, unless you can effectively tell people how to get their browser to actually go verify every cert.
No. In the case of a remote exploitable hole in the client OS I agree, then the user can do nothing and will benefit if there is a patch before the knowledge of the problem is spread. But in this case it is a security hole in the server side. IF users are informed they can avoid using the service and thus avoid the risk. (And if the risk is to be on the wrong end of a stick, at least I would appreciate a warning.) So what about a general warning that secure communication with site X, Y and Z could be compromised? Maybe even a big warning on the sites themself to give a warning before you login? (It could be removed by a 'man in the middle', but it would spread the word.) I wonder why that didn't happen.. /J
Current thread:
- The state-level attack on the SSL CA security model Martin Millnert (Mar 23)
- Re: The state-level attack on the SSL CA security model Dobbins, Roland (Mar 23)
- Re: The state-level attack on the SSL CA security model Joakim Aronius (Mar 24)
- Re: The state-level attack on the SSL CA security model Dobbins, Roland (Mar 24)
- Re: The state-level attack on the SSL CA security model Florian Weimer (Mar 24)
- Re: The state-level attack on the SSL CA security model Dobbins, Roland (Mar 24)
- Re: The state-level attack on the SSL CA security model Franck Martin (Mar 24)
- Re: The state-level attack on the SSL CA security model George Herbert (Mar 24)
- Re: The state-level attack on the SSL CA security model Joakim Aronius (Mar 25)
- Re: The state-level attack on the SSL CA security model Owen DeLong (Mar 25)
- Re: The state-level attack on the SSL CA security model Joakim Aronius (Mar 24)
- Re: The state-level attack on the SSL CA security model Florian Weimer (Mar 25)
- Re: The state-level attack on the SSL CA security model Dobbins, Roland (Mar 25)
- Re: The state-level attack on the SSL CA security model Crist Clark (Mar 28)
- Re: The state-level attack on the SSL CA security model Florian Weimer (Mar 29)
- Re: The state-level attack on the SSL CA security model Crist Clark (Mar 29)
- Re: The state-level attack on the SSL CA security model Dobbins, Roland (Mar 23)
- RE: The state-level attack on the SSL CA security model Akyol, Bora A (Mar 25)
- Re: The state-level attack on the SSL CA security model Valdis . Kletnieks (Mar 25)
- RE: The state-level attack on the SSL CA security model Akyol, Bora A (Mar 25)
- Re: The state-level attack on the SSL CA security model Dorn Hetzel (Mar 25)