The state-level attack on the SSL CA security model

• Previous message (by thread): The state-level attack on the SSL CA security model
• Next message (by thread): The state-level attack on the SSL CA security model
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mar 24, 2011, at 11:05 AM, Martin Millnert wrote:

> Announcing this high and loud even before fixes were available would not have exposed more users to threats, but less.


An argument against doing this prior to fixes being available is that miscreants who didn't know about this previously would be alerted to the possibility of using one of these certs (assuming they could get their hands on one) in conjunction with name resolution manipulation.

Note that announcing this prior to fixes would've dramatically increased the resale value of these certificates in the underground economy, making them much more attractive/lucrative.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

		The basis of optimism is sheer terror.

			  -- Oscar Wilde

• Previous message (by thread): The state-level attack on the SSL CA security model
• Next message (by thread): The state-level attack on the SSL CA security model
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]