Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
Fraudulent certificates in the wild — again
Posted Jan 7, 2013 15:28 UTC (Mon) by Lennie (subscriber, #49641)
It is already a very slow race to the bottom.
Do you really believe service will improve if it is a fast race to the bottom ? There is a reason Verisign sold it's SSL-branch to Symantec.
If you want free certs, you can also go to Gandi (sub-CA from Comodo), you'll get a free cert with your domain. At least for the first year. Go Gaddy might also have a similair service (there own CA ?).
Posted Jan 7, 2013 18:06 UTC (Mon) by giraffedata (subscriber, #1954)
There is a reason Verisign sold it's SSL-branch to Symantec.
And there's a reason Symantec bought it. Looks to me like evidence that it's a profitable business with a future.
(Actually, a sale of a business tells you nothing about whether it's a good business; it tells you the seller and buyer believe that the buyer can operate the business better than the seller can).
Posted Jan 8, 2013 17:34 UTC (Tue) by Lennie (subscriber, #49641)
Posted Jan 9, 2013 11:46 UTC (Wed) by tialaramex (subscriber, #21167)
But anyway, CAs are not solely in the SSL market. For SSL there was a competitive market, and technological pressure to innovate the CAs out of existence. The walled gardens are a much better opportunity. Typically the walled garden owner agrees a monopoly deal with you, the CA, where either they bundle your certificates with an SDK or their ISVs come to you separately to buy one, say once per year. The owner takes a slice of the money, you spend a slice more on overheads and the rest is clear profit with zero risk of being undercut by desperate competitors. Even if something goes wrong, the walled garden owner is in more trouble than the CA and will spend money on both PR and digging its way out, they're unlikely to offer the CA as scapegoat if they think they can still fix it, and as we've seen with SSL, you can just insist that whatever happened is "in the past" (when else would it be?) and won't happen again.
So expect Verisign SSL to still be there in ten years, but with SSL certificates as a very small part of the business, hardly mentioned in any financials and largely forgotten by the general public.
Posted Jan 9, 2013 14:25 UTC (Wed) by Lennie (subscriber, #49641)
The only parties that need to implement it are the browser vendors. They do however depend on an Internet where proper checking of DNSSEC material is possible.
This can be handled by something part of the browser, handled by the operating systems or something installed on the network or local machine ( http://www.nlnetlabs.nl/projects/dnssec-trigger/ ).
This hasn't happend, partly, because there are other issues in the network that prevent this. From DSL-routers which block large responses to just plain browser resolvers. A failover to HTTP or similair to collect this information is possible, but no-one has come forward to setup a large distributed network of servers for this.
From the browser vendors I only see an interrest in this field from the Google Chrome/Chromium developers and Firefox developers.
Google Chrome/Chromium uses the same NSS-library and, I believe, the same CA-store as Mozilla/Firefox.
The NSS-library is getting a lot of development, for example to refactor to easily support SPDY, but I haven't seen a lot of DNSSEC-/DANE-related development.
The Chrome/Chromium developers are developing their own DNS-library to improve performance. I've not seen any initiatives to add DNSSEC-validation support to it.
Chrome/Chromium does support this as a test:
DNSSEC-chain validation for DNSEC-validated DNS-material embedded in the SSL-chain.
No other browser supports this and you can't have both the normal CA-chain and the DNSSEC-chain in the same SSL-certificate configuration. It is something that might be possible in theory, but different browsers handle this case differently and you end up with at least one browser giving errors depending on the choices you make.
Even if all this is said and done DNSSEC does not solve what the CAs call "extended validation" certificates (also known as the green bar).
In the meantime there are addons for Firefox and Chrome which you can use to add DNSSEC-/DANE-support to those browsers. I think even an IE-extension when combined with DNSSEC-trigger you have a full solution which should always work.
Posted Jan 9, 2013 17:27 UTC (Wed) by giraffedata (subscriber, #1954)
The "profitable business" only has to last until it's paid for its purchase
And that was my point: the fact that the SSL CA business transferred from one company to another doesn't tell us whether the business has a future. (If you look closely, you see I haven't argued that SSL CAs are here to stay; I argued that the transfer to Symantec is not evidence of that).
... not even that long if you believe you can sell it to a bigger sucker
... Since nobody in the stock market has apparently heard of periods of time longer than a quarter ...
Give me a reason to believe that Verisign likes long-lived businesses more than Symantec, that Verisign is less interested in the stock market, or is a smaller sucker than Symantec, and then we have evidence, together with the sale of the SSL CA business, that SSL CAs are doomed. That wasn't present in the original post.
Posted Jan 14, 2013 11:16 UTC (Mon) by ortalo (subscriber, #4654)
 My try: support GnuPG certificates with individuals as roots of trust in browsers, integrate gnucash with git for secure publication of accounting status. Crazy enough?)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds