Google: Maintaining digital certificate security
Google: Maintaining digital certificate security
Posted Mar 24, 2015 9:52 UTC (Tue) by matthias (subscriber, #94967)In reply to: Google: Maintaining digital certificate security by Aissen
Parent article: Google: Maintaining digital certificate security
The described attack using a MITM proxy would not be possible, as the MCS CA simply would not be allowed to issue new certificates for my banking website.
Maybe this would not help much against NSA, as they might be able to steal the secret key of the root CA, but this helps against all those little criminals, that just want to break my banking security to empty my bank account.
With SSL it is enough to get hold on the private key of one of the thousands of sub-CAs available. With DANE (ontop of DNSSEC), the attacker needs access to the root key, the key of the TLD, or the key of my bank. I would feel much better if I just have to trust these three instances, instead of the thousands of CAs out there.