|
|
Log in / Subscribe / Register

Laurie: Improving SSL certificate security

Laurie: Improving SSL certificate security

Posted Apr 3, 2011 18:01 UTC (Sun) by geuder (subscriber, #62854)
In reply to: Laurie: Improving SSL certificate security by Kit
Parent article: Laurie: Improving SSL certificate security

> If the attacker can get a valid certificate

Yes, the attacker can get a valid certificate, but not a valid EV certificate. That has been the assumption for a couple of comments in this thread. With just a valid non-EV certificate the browser would not display the extra color/number info suggested

> everyone will just be trained to hit 'yes'/'accept'

That's why I suggested 3 options, and a different one is "correct" every day (one could also change the algorithm such that a different one is correct completely randomly from human perspective)

to post comments

Laurie: Improving SSL certificate security

Posted Apr 6, 2011 9:26 UTC (Wed) by jamesh (guest, #1159) [Link] (2 responses)

It shouldn't have been possible to for the attacker to create Domain Validated certificates, but they managed to due to policy problems (possibly due to them outsourcing the validation to a reseller?).

For EV certificates, we're being told that they are more secure because the CAs would never take similar shortcuts when validating these new certificates.

The existing track record of CAs doesn't inspire confidence that we'll never see a bogus EV certificate.

Laurie: Improving SSL certificate security

Posted Apr 6, 2011 15:41 UTC (Wed) by martinfick (subscriber, #4455) [Link]

No, really, I mean it, you can trust this certificate (it is an EV). Well, what about that other one you issued that isn't an EV? Oh, you can trust that one too, we issued it. So, then why would I get an EV one? Because you can really trust an EV one. So I can't trust the non EV one? Well, no, of course, you can. ....[repeat]

Laurie: Improving SSL certificate security

Posted Apr 6, 2011 17:55 UTC (Wed) by dlang (guest, #313) [Link]

it doesn't really matter, when the EV certs get down to the level of normal certs, they will invent 'new, really secure, we really mean it this time' certs and jack up the price on them even more. and a few years later they will do it again.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds