[SSL Observatory] SSL CA compromise in the wild
Jacob Appelbaum
jacob at appelbaum.net
Wed Mar 23 18:25:58 PDT 2011
On 03/23/2011 06:15 PM, Peter Gutmann wrote:
> Jacob Appelbaum <jacob at appelbaum.net> writes:
>
>> HSTS helps because at least with Chrome, it requires OCSP checking to pass.
>> Thus a MITM cannot (without compromising the CA entirely) simply deny
>> CRL/OCSP checks.
>
> If you can issue your own certs, you can also point at your own OCSP
> responder, which will always report them as not-revoked. It's the standard
> PKI trick of asking the drunk whether he's drunk again.
>
Right, we're hoping that the CA key isn't compromised. I mean, more
compromised. :-)
All the best,
Jacob
More information about the Observatory
mailing list