[SSL Observatory] SSL CA compromise in the wild

[Adam Langley]

On Wed, Mar 23, 2011 at 5:41 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> HSTS helps because at least with Chrome, it requires OCSP checking to
> pass. Thus a MITM cannot (without compromising the CA entirely) simply
> deny CRL/OCSP checks.

Unfortunately this might change in the future if we want more
significant Google properties to enable HSTS. We are not willing to
tie our fate to the serving ability of our CA.


AGL