[SSL Observatory] [cryptography] After the dust settles -- what happens next? (v. Long)
Marsh Ray
marsh at extendedsubset.com
Sun Sep 11 18:40:34 PDT 2011
On 09/11/2011 07:26 PM, Paul Hoffman wrote:
> Some of us observe a third, more likely
> approach: nothing significant happens due to this event. The
> "collapse of faith" is only among the security folks whose faith was
> never there in the first place. A week after the event, who was
> talking about it other than folks on these lists and lists like
> them?
The 300,00+ Iranians who were actively attacked and now have to change
their password and are wondering if they'd said anything in Gmail to get
them arrested and interrogated.
The unknown numbers of Chinese (and people in other countries) who were
hoping a US product like Gmail could provide a censorship-free email
service.
The Dutch IT people who have to replace the ~58,000 certs issued by
DigiNotar PKIoverheid CA.
> http://www.techworld.com.au/article/400068/dutch_government_struggles_deal_diginotar_hack/
The management at Google who are likely scared as hell that the
webmasters and security auditors of the 50% of major sites that source
Javascript from https://google-analytics.com/ will realize that they
would have been pwned too (and possibly been obligated to report it) had
the attacker issued a cert for that. Who else thinks he probably will
next time?
The people responsible for security at Amazon, PayPal, every other big
retailer and the financial services companies that handle high-value
accounts.
The governments and government contractors who depend on SSL VPNs with
an in-band second factor of auth (like hardware token codes) to secure
their remote access.
The attacker himself: https://twitter.com/#!/ichsunx2
The people who've generated the 367,772 views (so far) of Comodohacker's
Pastebin texts:
http://pastebin.com/u/ComodoHacker
Slashdot and their bazillion subscribers are still talking about it as
of yesterday:
http://it.slashdot.org/story/11/09/10/2129239/GlobalSign-Web-Server-Hacked-But-Not-CA
Who isn't talking about it really?
The full damage is not even out yet. This thing is just getting started.
Despite rumors to the contrary, there are, in fact, a great many
influential people who do give a shit about the actual effective
security delivered by SSL/TLS (beyond its ability to add an air of
confidence to consumers' $50-liability-limit credit card transactions).
This time is not like the previous "SSL is broken again ho hum" bugs.
- Marsh
More information about the Observatory
mailing list