IE is killing it too, and, as this post points out, so is Mozilla.
Sign a Google Mail certificate for Iran? Fuck you. You're done.
In the medium term, I think a lot of HN people should also take a hard look at CONVERGENCE.IO. For now, though, it's heartening to see the real power behind Internet trust (hint: it's not Verisign and it's not the IETF) taking this seriously.
IMHO, just blacklisting these resellers is worthless as there is obviously not enough oversight over who can be a reselling CA.
This is the third time this year that a Comodo reseller has been breached. Comodo should scrutinize their customers better or THEY should get blacklisted (taking all their other resellers with them) at least until they made sure that their clients have all resolved their security issues
It's heartening but it's also not. Surely there have been many other cases of invalid certs being granted for lower profile sites, perhaps by this very same CA, without any of us ever hearing about it. And surely the granter of one of those is still considered valid within many browser/OS configurations. But because this was an invalid Google cert the CA gets shut down.
It kind of highlights the difficult problem of when to decide to blacklist a CA in the current model.
And for clarity, who/what do you think is the real power behind Internet trust? I've been thinking about it for five minutes and can't come up with a good answer.
And OS vendors. And whoever configures the computer. You buy a computer that was made in China, and it has root certs already in there (thanks to either Microsoft or Apple, or the shop who sold it, or the guys who assembled it - who knows?). Chome / Safari uses the system certs. All good, right?
who/what do you think is the real power behind Internet trust
Nobody, it's all fiat. Verisign started this scam and we're just seeing the follow-on effects. There has never been anything more than the words and policies supporting the CA industry.
Either the CA was complicit, or they weren't secure. Regardless of which it is, the CA's root certificate is not trustworthy.
If they were hacked into, spoofed into giving out a certificate, or raided by special forces and had data physically stolen from their servers, then perhaps they can generate a new key and have that become trusted once they've taken steps to ensure something like this doesn't happen again.
But there's no way anyone can trust their old root key anymore.
Really? If Chrome's had updates pushed to it recently, how do I know that my browser itself, as installed on my filesystem, isn't now innately subverted by the Iranian government? (Note the domain in question in this particular case.)
I don't know about Chrome's update process, but they can simply have their own verification without root certificates (i.e. just like what most Mac software with Sparkle updater do: keep a public key inside the app, and verify the signature of updates).
The auto-update process should be far more secure than SSL certificates. They'll have keys in the current Chrome which it'll use to check any updates are legitimate before they get unpacked/installed.
Sign a Google Mail certificate for Iran? Fuck you. You're done.
In the medium term, I think a lot of HN people should also take a hard look at CONVERGENCE.IO. For now, though, it's heartening to see the real power behind Internet trust (hint: it's not Verisign and it's not the IETF) taking this seriously.