[SSL Observatory] SSL CA compromise in the wild
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Mar 23 18:15:43 PDT 2011
Jacob Appelbaum <jacob at appelbaum.net> writes:
>HSTS helps because at least with Chrome, it requires OCSP checking to pass.
>Thus a MITM cannot (without compromising the CA entirely) simply deny
>CRL/OCSP checks.
If you can issue your own certs, you can also point at your own OCSP
responder, which will always report them as not-revoked. It's the standard
PKI trick of asking the drunk whether he's drunk again.
Peter.
More information about the Observatory
mailing list