[SSL Observatory] SSL CA compromise in the wild
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Mar 23 18:29:27 PDT 2011
Jacob Appelbaum <jacob at appelbaum.net> writes:
>Right, we're hoping that the CA key isn't compromised. I mean, more
>compromised. :-)
You don't need a CA key compromised, you just issue yourself a CA cert and use
that to both issue fraudulent certs and verify, via OCSP, that they're not
revoked.
(Or use the '500' proxy trick, so you don't even need a CA cert. Once you
can get a CA to sign just a single cert of your own devising it's game over,
whether you make yourself a CA or not).
Peter.
More information about the Observatory
mailing list