Recent Features
| |||||||||||||
Gathering session cookies with FiresheepGathering session cookies with FiresheepPosted Nov 14, 2010 11:59 UTC (Sun) by anselm (subscriber, #2796)In reply to: Gathering session cookies with Firesheep by Simetrical Parent article: Gathering session cookies with Firesheep
[…] and certificate authorities will have their trust revoked by browsers (making their certs useless) if they're found to be giving certs away to people who don't actually control the domains they're for. Yeah right. Like this happened to VeriSign in March, 2001.
(Log in to post comments)
Gathering session cookies with Firesheep Posted Nov 14, 2010 12:11 UTC (Sun) by gerv (subscriber, #3376) [Link]
Is it your contention that a single mistake by a CA should mean they are thereafter disqualified from being included in browsers until the end of time?
There's a difference between a mistake (which happen to the best of us) and wilfully ignoring the necessary rules and safeguards, or a history of mistakes which leads to a diagnosis of institutional incompetence. I suggest that Verisign is guilty of neither of the latter two things.
In addition, the certificate(s) in the incident you reference were digital code-signing certificates, not web server certificates. Very occasionally, web server certs do fall into the wrong hands (which can be via hacking and theft as much as misissuance - how many SSL-running web servers do you think were rooted in the past year?) but I'd be impressed if you can show me a single reported incident where a fraudulently-acquired web server cert was used for spoofing.
Gerv
|
|||||||||||||