[144448] in North American Network Operators' Group
Re: Microsoft deems all DigiNotar certificates untrustworthy,
daemon@ATHENA.MIT.EDU (Martin Millnert)
Mon Sep 12 10:10:48 2011
In-Reply-To: <20110911.201218.74676712.sthaug@nethelp.no>
Date: Mon, 12 Sep 2011 16:09:43 +0200
From: Martin Millnert <millnert@gmail.com>
To: sthaug@nethelp.no
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Steinar,
On Sun, Sep 11, 2011 at 8:12 PM, <sthaug@nethelp.no> wrote:
>> To pop up the stack a bit it's the fact that an organization willing to
>> behave in that fashion was in my list of CA certs in the first place.
>> Yes they're blackballed now, better late than never I suppose. What does
>> that say about the potential for other CAs to behave in such a fashion?
>
> I'd say we have every reason to believe that something similar *will*
> happen again :-(
Something similar, including use of purchased (not only limited to
stolen certs), is ongoing already, all of the time. (I had a fellow
IRC-chat-friend report from a certain very western-allied middle
eastern country that there's ISP/state-scale SSL-MITM ongoing there,
for all https traffic.)
The comment on starting out with an empty /etc/ssl is valid. Most of
the normally included CA's you almost never run into on the wild web
anyway. There were some blog postings about this last time a CA was
busted. Shave off 90% of them and you have at least come a bit on the
way (goal 100%).
The absence of proof is *not* proof of absence, and in this particular
case it's pretty safe to assume some abuse is ongoing somewhere, 24/7.
Cheers,
Martin
