[SSL Observatory] SSL CA compromise in the wild
Ludwig Nussel
ludwig.nussel at suse.de
Wed Mar 23 02:51:50 PDT 2011
Peter Gutmann wrote:
> Jacob Appelbaum <jacob at appelbaum.net> writes:
>
> >I wanted to start a thread about this blog post I just finished writing:
> >https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion
>
> Interesting bit of detective work! The discussion shows up (yet again) one of
> the killer problems of CRL/OCSP-style blacklisting, since you can only
> blacklist certs that you know the CA has issued, there could be arbitrary
> numbers of further certs out there that can't be revoked because the CA
> doesn't know that it issued them.
The global validity of certificates issued by the root CAs is what
scares me most. There is no "natural confinement" of a CA
compromise. If each CA would only be allowed to issue certificates for
a certain domain a compromise would also only affect that domain.
Of course a compromise of e.g. the .com CA would still be
catastrophic then but I could at least safely continue to log into
mybank.de.
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
More information about the Observatory
mailing list