[Security] Rogue CAs
Ralph J.Mayer
rmayer at vinotech.de
Wed Dec 31 10:55:52 CST 2008
> Well, for *ME*, it's dead. Maybe I should empathize more that it's my
Well, lets say "it has some problems".
Like:
- to many CAs in your browser (think about the one who got himself a
"valid" cert for mozilla.com)
- revocation does not work, its even disabled by default on current
versions of web browsers
- broken software, not able to verify the chain of trust ...
- the users, no one wants to compare the fingerprint of www.bank.com
to the one he got with a letter he got from that very bank every
time he visits the website.
Sad fact, right now, its the best we have.
rm
More information about the Security
mailing list