[138977] in North American Network Operators' Group
Re: The state-level attack on the SSL CA security model
daemon@ATHENA.MIT.EDU (Brian Keefer)
Thu Mar 24 17:02:25 2011
From: Brian Keefer <chort@smtps.net>
In-Reply-To: <4D8B5089.4010507@pobox.com>
Date: Thu, 24 Mar 2011 07:34:20 -0700
To: Harald Koch <chk@pobox.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mar 24, 2011, at 7:09 AM, Harald Koch wrote:
> On 3/23/2011 11:05 PM, Martin Millnert wrote:
>> To my surprise, I did not see a mention in this community of the
>> latest proof of the complete failure of the SSL CA model to actually
>> do what it is supposed to: provide security, rather than a false =
sense
>> of security.
>=20
> This story strikes me as a success - the certs were revoked =
immediately, and it took a surprisingly short amount of time for =
security fixes to appear all over the place.
>=20
> <snip>
> --=20
> Harald
I'd hardly call the fact that it required manual blacklist patches to =
every browser a "success". SSL is a failure if real revocation requires =
creating a patch for browsers and relying on users to install it.
--
bk
