Microsoft deems all DigiNotar certificates untrustworthy, releases updates

Martin Millnert millnert at
Mon Sep 12 14:09:43 UTC 2011


On Sun, Sep 11, 2011 at 8:12 PM,  <sthaug at> wrote:
>> To pop up the stack a bit it's the fact that an organization willing to
>> behave in that fashion was in my list of CA certs in the first place.
>> Yes they're blackballed now, better late than never I suppose. What does
>> that say about the potential for other CAs to behave in such a fashion?
> I'd say we have every reason to believe that something similar *will*
> happen again :-(

Something similar, including use of purchased (not only limited to
stolen certs), is ongoing already, all of the time.  (I had a fellow
IRC-chat-friend report from a certain very western-allied middle
eastern country that there's ISP/state-scale SSL-MITM ongoing there,
for all https traffic.)

The comment on starting out with an empty /etc/ssl is valid.  Most of
the normally included CA's you almost never run into on the wild web
anyway. There were some blog postings about this last time a CA was
busted. Shave off 90% of them and you have at least come a bit on the
way (goal 100%).

The absence of proof is *not* proof of absence, and in this particular
case it's pretty safe to assume some abuse is ongoing somewhere, 24/7.


More information about the NANOG mailing list