[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

The state-level attack on the SSL CA security model

Subject: The state-level attack on the SSL CA security model
From: nixon at nsc.liu.se (Leif Nixon)
Date: Thu, 24 Mar 2011 15:46:14 +0100
In-reply-to: <[email protected]> (Harald Koch's message of "Thu, 24 Mar 2011 10:09:13 -0400")
References: <[email protected]> <[email protected]>

Harald Koch <chk at pobox.com> writes:

> On 3/23/2011 11:05 PM, Martin Millnert wrote:
>> To my surprise, I did not see a mention in this community of the
>> latest proof of the complete failure of the SSL CA model to actually
>> do what it is supposed to: provide security, rather than a false sense
>> of security.
>
> This story strikes me as a success - the certs were revoked
> immediately, and it took a surprisingly short amount of time for
> security fixes to appear all over the place.

But revocation doesn't work, and people don't install updates, so this
is only a *theoretical* success.

-- 
Leif Nixon - Security officer
National Supercomputer Centre - Swedish National Infrastructure for Computing
Nordic Data Grid Facility - European Grid Infrastructure

References:
- The state-level attack on the SSL CA security model
  - From: millnert at gmail.com (Martin Millnert)
- The state-level attack on the SSL CA security model
  - From: chk at pobox.com (Harald Koch)

Prev by Date: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
Next by Date: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million
Previous by thread: The state-level attack on the SSL CA security model
Next by thread: The state-level attack on the SSL CA security model
Index(es):
- Date
- Thread