[SSL Observatory] SSL CA compromise in the wild
Jacob Appelbaum
jacob at appelbaum.net
Wed Mar 23 16:41:36 PDT 2011
On 03/23/2011 04:32 PM, Chris Palmer wrote:
> On 03/23/2011 04:02 PM, Jacob Appelbaum wrote:
>
>> The Browser Vendors are afraid that people will simply jump ship to a
>> browser that "works" out of the box. Removal of a root will supposedly
>> decrease browser share and so browser vendors refuse to remove roots
>> unless absolutely forced.
>
> We can use the Observatory to measure the cost of un-trusting a CA (root
> or intermediate). Some of the 1,400+ signers have never signed anything,
> or signed one thing once, and so on. (My favorite example is the DHS'
> CA, which has signed one site that says "This site is going away soon.")
> In fact, the distribution is highly polarized: very few CAs sign almost
> all the in-use HTTPS certificates; most CAs sign very few certificates.
Right. I made that argument with the observatory data in the bug report
that I filed with Mozilla. I don't know where they get their numbers or
how they make that internal decision.
>
> If we can bring real numbers to browser vendors, they might respond.
Perhaps. I think the incentives are all wrong.
>
> Unfortunately, the USERTRUST CA that was compromised is one of the CAs
> that is Too Big To Fail. Nasko Oskov had a blog post a while back about
> how he manually reduced Firefox' CA certificate list to the few big ones.
I don't agree that they're Too Big To Fail.
If someone produced a secret key, what then? Too big to fail? Is that
really the best we can do? I'm not so sure.
>
> http://netsekure.org/2010/05/results-after-30-days-of-almost-no-trusted-cas/
>
Andrew did that on the Tor blog as well:
https://blog.torproject.org/blog/life-without-ca
>>> Inconvenient and annoying? Likely. But so is a 0300 knock and potato
>>> bagged escort out of your home in Tehran, Iran.. -Ali
>
> Apparently some people in Syria were inconvenienced today when they
> tried to use Facebook.
>
Could you share a little more about this with the list?
All the best,
Jacob
More information about the Observatory
mailing list