LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Shumway lands in Firefox

LWN.net Weekly Edition for October 3, 2013

Integrity and embedded devices

NUMA scheduling progress

LWN.net Weekly Edition for September 26, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The case of the fraudulent SSL certificates

The case of the fraudulent SSL certificates

Posted Mar 24, 2011 10:13 UTC (Thu) by job (guest, #670)
Parent article: The case of the fraudulent SSL certificates

Certificate revocation has been broken from the beginning. Not only do you need to worry about careless CAs, but stealing certs is way too easy given the security state of web applications. Other important parts of SSL is also broken, such as the ability to delegate and trust a particular cert only on your subdomains.

I wish we could just use DNSSEC for this, but things move very slowly. While I understand the concern that DNS is not identity, I strongly believe that is not the common use case. I am much more often concerned that the certificate I am presented with is legitimate for "lwn.net", than that it belongs to "Eklektix Inc."

(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds