The state-level attack on the SSL CA security model

Dan White dwhite at
Thu Mar 24 09:59:14 CDT 2011

On 24/03/11 10:09 -0400, Harald Koch wrote:
>On 3/23/2011 11:05 PM, Martin Millnert wrote:
>>To my surprise, I did not see a mention in this community of the
>>latest proof of the complete failure of the SSL CA model to actually
>>do what it is supposed to: provide security, rather than a false sense
>>of security.
>This story strikes me as a success - the certs were revoked 
>immediately, and it took a surprisingly short amount of time for 
>security fixes to appear all over the place.

The point is that the 'short amount of time' should have been zero (from
the time of the update of the CRL) which would have allowed an immediate
announcement of the revocation to the public, with sufficient details for
the public to make educated decisions about their internet usage.

But because the CRL publication did not facilitate that, due to whatever
deficiency there existed in the procotol or in browser implementations,
announcement had to be delayed, providing a small group of attackers a
larger window than necessary to compromise information.

Dan White

More information about the NANOG mailing list