[SSL Observatory] SSL CA compromise in the wild
Steve Schultze
sjs at princeton.edu
Wed Mar 23 17:09:13 PDT 2011
On Mar 23, 2011, at 6:48 PM, Ali-Reza Anghaie wrote:
> In this case or the case of the MS certs being bought at random, why
> aren't these roots being pulled from browsers or at least thoroughly
> humiliated with really forceful messages?
>
> Honestly, how hard would it have been for the big three/four browsers
> to have added a warning message for all Comodo sites. It would have
> made private customers have second thoughts on working with them, made
> other CAs double and triple check their work, etc.
There had been some talk of a mechanism like this on mozilla.dev.security.policy:
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/99829a2c870fef42/73cb702a357a8505?lnk=gst&q=shame#73cb702a357a8505
The upshot was an agreement to discuss it as part of the updates to the Mozilla Cert Policy:
https://wiki.mozilla.org/CA:CertPolicyUpdates#Policy_Enforcement
That process has proceeded slowly, and although it is indeed proceeding it is unknown when they will get to that topic, and what the decision will be.
I personally am somewhat pessimistic, and suspect that the outcome will be a fairly tame list somewhere without any meaningful penalties... but that's speculation.
I too have heard the "too big to fail" type arguments from browsers. I don't buy it, but that's the argument. In general, the browsers show an appalling lack of willingness to do anything to CAs that screw up (or for that matter to introduce more stringent root approval practices in the first place).
More information about the Observatory
mailing list