Phony Web Certs Issued For Google, Yahoo, Skype 151
Gunkerty Jeb writes "A major issuer of secure socket layer (SSL) certificates acknowledged on Wednesday that it had issued 9 fraudulent SSL certificates to seven Web domains, including those for Google.com, Yahoo.com and Skype.com following a security compromise at an affiliate firm. The attack originated from an IP address in Iran, according to a statement from Comodo Inc."
Well (Score:2, Insightful)
CRLs? (Score:5, Insightful)
The article says that browser makers rushed to put out patches to blacklist the fraudulent certs. Isn't this what certificate revocation lists [wikipedia.org] are for? Are CRLs completely broken and unused?
Re:Better Internet for Everybody (Score:2, Insightful)
Wow, broken clocks are right twice a day it seems.
And the CAs do ... what again? (Score:5, Insightful)
If I'm paying the CA to certify that public key X really is mine, and yet someone who's not me can get the same certification from the CA for being me ... what was I paying for again?
RSA =/= rubber stamp authority
Re:And the CAs do ... what again? (Score:4, Insightful)
Are you saying that SSH is not useful? Read my post again.
Emphasis mine. Yes, it is vulnerable to a man-in-the-middle attack. Exactly once. After you've made one connection, you're safe to connect to that particular host forever and ever... unless and until somebody legitimately has to change keys and certs without signing the new one with the same CA cert. At that point, you're unsafe one more time (and, hopefully, suspicious about the competence of the site's admins by this point).
And if you connect to the site, then take your computer to a different network and make the connection again and don't get screamed at (because the host key has changed), you can pretty much feel confident that you aren't getting hit by a man-in-the middle attack unless your computer is thoroughly 0wn3d, in which case it really doesn't matter if the traffic is encrypted because your keystrokes are probably being sniffed anyway. :-)