Is SSL/TSL really secure? - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: Is SSL/TSL really secure?

Ludovic Joly wrote:
Quoted text here. Click to load it

You don't need any friends at CAs, because most are scumbags. May I
remember you of certain incidents:

- An unknown aquired a certificate on the CN "Microsoft Corporation"
thorugh anonymous telephone at Verisign.

- GeoTrust signed certain certificates with certain banks as OU names.
It was supposed to be an internal auditing, and now they're even proud
of their achievement. Guess what? They didn't change anything about
their verification mechanism.

- GeoTrust/Equifax  signed a certificate on a domain name as CU and OU (notice the dash) for a small company in Salt Lake
City. Guess what? The real Mountain America credit union running the
real is in Salt Lake City as well. Everything was
verified by Visa, obviously just by location.

- Hell, even the infamous TCPA/TCG had a lot of trouble with certs.
Having the TCPA website running with the cert of the TCG website (TCG
was refounded from members of TCPA? I would guess they just renamed! Now
they even melted both websites together...), forgetting to renew the
cert... and they like to preach that our crypto keys are safe at them.

And would you trust "AOL/Time Warner" as a CA?

Site Timeline