[141070] in cryptography@c2.net mail archive
Re: Security by asking the drunk whether he's drunk
daemon@ATHENA.MIT.EDU (dan@geer.org)
Thu Dec 25 14:56:20 2008
From: dan@geer.org
To: Adam Shostack <adam@homeport.org>
cc: cryptography@metzdowd.com
In-Reply-To: Your message of "Sun, 21 Dec 2008 16:51:16 EST."
<20081221215116.GA27445@homeport.org>
Date: Tue, 23 Dec 2008 17:23:07 -0500
or asking "Can I trust you?"
-------------------------------------------------------
http://blog.startcom.org/?p=145
Slashdot and others are reporting on this story about how it was
possible for a person to receive a completely valid certificate for
a random domain of his choosing without any questions or verification.
In this case he generated a certificate for mozilla.com from a
reseller of the Comodo certificate authority. I'm hoping this is
just a single instance but it makes you remember that the browser
pre-trusted certificate authorities really needs to be cleaned up.
If it's not obvious enough, this is not good for Tor users due to
the fact that we try to rely on SSL certificates to make sure that
traffic isn't sniffed while using Tor.
-Roc Tor Admin
-------------------------------------------------------
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
