[SSL Observatory] SSL CA compromise in the wild
Jacob Appelbaum
jacob at appelbaum.net
Wed Mar 23 15:10:01 PDT 2011
On 03/23/2011 02:58 PM, Adam Langley wrote:
> On Wed, Mar 23, 2011 at 5:41 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>> HSTS helps because at least with Chrome, it requires OCSP checking to
>> pass. Thus a MITM cannot (without compromising the CA entirely) simply
>> deny CRL/OCSP checks.
>
> Unfortunately this might change in the future if we want more
> significant Google properties to enable HSTS. We are not willing to
> tie our fate to the serving ability of our CA.
I think it makes sense to create a community of caching OCSP proxy
servers. Browsers could use it in the event of a CA failure.
It's not too much more of a privacy nightmare than OCSP without hard
failures... Is it?
All the best,
Jacob
More information about the Observatory
mailing list