[SSL Observatory] SSL CA compromise in the wild

Jacob Appelbaum jacob at appelbaum.net
Wed Mar 23 18:25:58 PDT 2011


On 03/23/2011 06:15 PM, Peter Gutmann wrote:
> Jacob Appelbaum <jacob at appelbaum.net> writes:
> 
>> HSTS helps because at least with Chrome, it requires OCSP checking to pass.
>> Thus a MITM cannot (without compromising the CA entirely) simply deny
>> CRL/OCSP checks.
> 
> If you can issue your own certs, you can also point at your own OCSP
> responder, which will always report them as not-revoked.  It's the standard
> PKI trick of asking the drunk whether he's drunk again.
> 

Right, we're hoping that the CA key isn't compromised. I mean, more
compromised. :-)

All the best,
Jacob



More information about the Observatory mailing list