Hacker News new | past | comments | ask | show | jobs | submit login

If a CA is issuing bad certificates then they need to be removed from the default CA list. Mozilla was worried about this with China a little while ago. http://www.freedom-to-tinker.com/blog/felten/mozilla-debates...

The real news will be if anyone can prove that a default CA has been compelled by court order to generate a fake certificate.




1. A lot of businesses comply with law enforcement requests without a court order.

2. If you are capable of doing this, you are also capable of attacking the automated verification methods that low-assurance/domain-validated CAs use. For example, if you can spoof DNS for a domain, you can send the CA MX records that direct all validation email to the domain to your own server. Or, if you're a government, you can work with the target's email provider and/or domain name registrar and/or anybody else willing to help; then they could get forged certificates without the cooperation or knowledge of the CA.


I used to work for a company that was looking at making an SSL splicer. That was done in the context of a transparent pass-thru network device that scans and filters traffic.

The idea was that the client would install this device on their perimeter, generate a CA certificate for the device (on the device itself) and then install this CA cert on all internal clients. In other words the clients were assumed to be cooperating.

From the technical perspective it was a piece of cake. The project got shelved still, but only because they have failed to close the sale of the product.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: