[18288] in cryptography@c2.net mail archive
Re: Another entry in the internet security hall of shame....
daemon@ATHENA.MIT.EDU (Peter Gutmann)
Fri Aug 26 10:27:20 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: pgut001@cs.auckland.ac.nz (Peter Gutmann)
To: kelsey.j@ix.netcom.com
Cc: cryptography@metzdowd.com
In-Reply-To: <14613346.1124847722664.JavaMail.root@elwamui-chisos.atl.sa.earthlink.net>
Date: Sat, 27 Aug 2005 01:56:32 +1200
John Kelsey <kelsey.j@ix.netcom.com> writes:
>Recently, Earthlink's webmail server certificate started showing up as
>expired. (It obviously expired a long time ago; I suspect someone must have
>screwed up in changing keys over or something, because the problem wasn't
>happening up until recently.)
This is now the third time in the last few months in which invalid/expired SSL
server certs have totally failed to have any effect, at least until a security
person noticed that there was a problem. Maybe one of the HCI people reading
the list could be persuaded to investigate whether SSL server certs have any
real security value and/or what changes to the UI need to be made to make them
useful. Alternatively, how long can you get away with a $19.95 cert from
Honest Joe's Used Cars and Certificates that expired several years ago?
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
