[Security] Rogue CAs

Eric Rescorla ekr at rtfm.com
Wed Dec 31 08:49:40 CST 2008


On Wed, Dec 31, 2008 at 6:29 AM, Jonathan Schleifer
<js-xmpp-security at webkeks.org> wrote:
> Pedro Melo <melo at simplicidade.org> wrote:
>
>> Hi,
>>
>> I'm no expert but this seems pretty bad:
>> http://www.phreedom.org/research/rogue-ca/
>>
>> Best regards,
>
> Yup, SSL is pretty much dead now.

Uh, no.

See my writeup here:
http://www.educatedguesswork.org/2008/12/understanding_the_sotirov_et_a.html


> First CAs not checking whom they
> issue the cert, then CAs still using MD5. At 25c3, I even tunnelled all
> SSL-connections through SSH, as you can't rely on SSL anymore.

Uh, there have been a grand total of two certificates that we know of being
issued to the wrong people. That's hardly the end of the world. Yes, I
totally agree that CA procedures could be significantly tighter, but I
think "can't rely" is rather too strong.

Additionally,the only part of SSL/TLS that this stuff implicates is
a feature SSH doesn't even have, namely third party authentication.
If you want to run SSL/TLS in a mode where you know the peer's key
already, it doesn't matter what the CAs do.

-Ekr


More information about the Security mailing list