[SSL Observatory] SSL CA compromise in the wild
Chris Palmer
chris at eff.org
Wed Mar 23 16:32:22 PDT 2011
On 03/23/2011 04:02 PM, Jacob Appelbaum wrote:
> The Browser Vendors are afraid that people will simply jump ship to a
> browser that "works" out of the box. Removal of a root will supposedly
> decrease browser share and so browser vendors refuse to remove roots
> unless absolutely forced.
We can use the Observatory to measure the cost of un-trusting a CA (root
or intermediate). Some of the 1,400+ signers have never signed anything,
or signed one thing once, and so on. (My favorite example is the DHS'
CA, which has signed one site that says "This site is going away soon.")
In fact, the distribution is highly polarized: very few CAs sign almost
all the in-use HTTPS certificates; most CAs sign very few certificates.
If we can bring real numbers to browser vendors, they might respond.
Unfortunately, the USERTRUST CA that was compromised is one of the CAs
that is Too Big To Fail. Nasko Oskov had a blog post a while back about
how he manually reduced Firefox' CA certificate list to the few big ones.
http://netsekure.org/2010/05/results-after-30-days-of-almost-no-trusted-cas/
>> Inconvenient and annoying? Likely. But so is a 0300 knock and potato
>> bagged escort out of your home in Tehran, Iran.. -Ali
Apparently some people in Syria were inconvenienced today when they
tried to use Facebook.
--
Chris Palmer
Technology Director, Electronic Frontier Foundation
https://www.eff.org/code
More information about the Observatory
mailing list