|
|
Subscribe / Log in / New account

Laurie: Improving SSL certificate security

Laurie: Improving SSL certificate security

Posted Apr 4, 2011 15:46 UTC (Mon) by gmaxwell (guest, #30048)
Parent article: Laurie: Improving SSL certificate security

I wonder why some of these big internet companies don't run their own CA?

I mean— I don't consider google ultimately trustworthy but I think they're more trustworthy (and competent and probably experienced, and they certainly have more to lose) than most of the CAs browsers currently trust. Many of them operate many more domains than many of the currently trusted CAs have certs which have observed on the internet.

That plus some domain to CA binding would substantially reduce the number of really attractive targets for various attacks.

to post comments

Laurie: Improving SSL certificate security

Posted Apr 4, 2011 16:06 UTC (Mon) by dlang (guest, #313) [Link]

the problem is that too many companies _do_ run their own CA

any company that runs a CA that is trusted by the browsers can issue a certificate for _any_ domain.

This means that GE (one of the companies listed) could issue a certificate for irs.gov, and it's only their internal processes that prevent this from happening.

This is the fundamental problem. And a company like microsoft or google cannot defend against this because they don't have any control over what all the CAs do (especially since some of them are government agencies)

if google were to start issuing certs, this would not solve any problems, it would just add one more vendor who could create certs. They could issue their own certs, but certs issued by someone else would continue to be considered valid by all the browsers and other tools out there.

The commercial CA vendors are trying to strike a balance between security and ease of use, and in this case there was a hole that made it too easy for someone to request a cert ;-)

Laurie: Improving SSL certificate security

Posted Apr 5, 2011 1:28 UTC (Tue) by foom (subscriber, #14868) [Link]

Google does indeed have its own CA; you can tell simply by looking at the cert chain on https://encrypted.google.com

0: subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority

1: subject=/C=US/O=Google Inc/CN=Google Internet Authority
issuer=/C=US/O=Equifax/OU=Equifax Secure Certificate Authority

As the previous comment says, without a method to restrict the certificates they're allowed to issue, that doesn't make the CA system any more secure, it makes it less secure.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds