[138922] in North American Network Operators' Group
Re: The state-level attack on the SSL CA security model
daemon@ATHENA.MIT.EDU (Dobbins, Roland)
Thu Mar 24 00:15:11 2011
From: "Dobbins, Roland" <rdobbins@arbor.net>
To: nanog group <nanog@nanog.org>
Date: Thu, 24 Mar 2011 04:13:37 +0000
In-Reply-To: <AANLkTik73H1TEMRTFWw1NCLUwOnWacE8xvqzcHYb6vN4@mail.gmail.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote:
> Announcing this high and loud even before fixes were available would not =
have exposed more users to threats, but less.
An argument against doing this prior to fixes being available is that miscr=
eants who didn't know about this previously would be alerted to the possibi=
lity of using one of these certs (assuming they could get their hands on on=
e) in conjunction with name resolution manipulation.
Note that announcing this prior to fixes would've dramatically increased th=
e resale value of these certificates in the underground economy, making the=
m much more attractive/lucrative.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com>
The basis of optimism is sheer terror.
-- Oscar Wilde
