The state-level attack on the SSL CA security model

Brian Keefer chort at smtps.net
Thu Mar 24 09:34:20 CDT 2011


On Mar 24, 2011, at 7:09 AM, Harald Koch wrote:

> On 3/23/2011 11:05 PM, Martin Millnert wrote:
>> To my surprise, I did not see a mention in this community of the
>> latest proof of the complete failure of the SSL CA model to actually
>> do what it is supposed to: provide security, rather than a false sense
>> of security.
> 
> This story strikes me as a success - the certs were revoked immediately, and it took a surprisingly short amount of time for security fixes to appear all over the place.
> 
> <snip>
> -- 
> Harald

I'd hardly call the fact that it required manual blacklist patches to every browser a "success".  SSL is a failure if real revocation requires creating a patch for browsers and relying on users to install it.

--
bk




More information about the NANOG mailing list