[Security] Rogue CAs

Ralph J.Mayer rmayer at vinotech.de
Wed Dec 31 10:55:52 CST 2008


> Well, for *ME*, it's dead. Maybe I should empathize more that it's my

Well, lets say "it has some problems".

Like:
- to many CAs in your browser (think about the one who got himself a
  "valid" cert for mozilla.com)
- revocation does not work, its even disabled by default on current
  versions of web browsers
- broken software, not able to verify the chain of trust ...
- the users, no one wants to compare the fingerprint of www.bank.com
  to the one he got with a letter he got from that very bank every
  time he visits the website.

Sad fact, right now, its the best we have.


rm


More information about the Security mailing list