Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
Fraudulent *.google.com certificate issued
Posted Aug 30, 2011 4:04 UTC (Tue) by dlang (✭ supporter ✭, #313)
blocking by fingerprint blocks one particular CA cert, blocking by name blocks every CA cert with that name, effectively passing a death sentence on that CA (at least under that name, and if the same people submit a new CA to be accepted by the browsers, it's unlikely to be accepted)
Posted Aug 30, 2011 22:36 UTC (Tue) by martinfick (subscriber, #4455)
How would that work?
Posted Aug 30, 2011 22:43 UTC (Tue) by dlang (✭ supporter ✭, #313)
Posted Aug 30, 2011 22:51 UTC (Tue) by martinfick (subscriber, #4455)
Posted Aug 31, 2011 15:43 UTC (Wed) by raven667 (subscriber, #5198)
Posted Aug 31, 2011 15:56 UTC (Wed) by martinfick (subscriber, #4455)
Posted Aug 31, 2011 16:37 UTC (Wed) by raven667 (subscriber, #5198)
Building up the paper trail that a CA needs to be accepted by the browsers does require effort and time but you are right in that I have not worked close enough to the CA/browser relationship to know exactly what is required to register with MS, Mozilla, Apple, Opera, Oracle, Google, RIM, and other vendors.
Posted Sep 1, 2011 7:56 UTC (Thu) by Comet (subscriber, #11646)
Things like Linkage Analysis, where they figure out which companies own which other companies, and trace down who actually owns a company.
It's human legwork to maintain their databases. Thus they get to charge money for queries against them.
So, I certainly hope that the major CAs are doing at least a paid check with one of the merchant houses before issueing EV certs, and anyone bundling together a group of CAs for others to trust should either be saying "don't trust us, this is just what we find convenient" (amateur, but sometimes appropriate) or should be doing the same due diligence.
Posted Sep 1, 2011 18:20 UTC (Thu) by raven667 (subscriber, #5198)
In this case though attackers are believed to have compromised the infrastructure and had enough access that they could issue whatever they liked without going through the audit and security controls. The technical measures which could prevent this are difficult, cumbersome, expensive and not foolproof. At some point you have to be able to accept a CSR from a customer and expose it to the HSA and receive a result. If you can get anywhere in that path you can send your own CSRs and have whatever you want signed.
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds