Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Is SSL/TSL really secure?
- Sebastian Gottschalk
March 31, 2006, 11:41 am
Re: Is SSL/TSL really secure?
You don't need any friends at CAs, because most are scumbags. May I
remember you of certain incidents:
- An unknown aquired a certificate on the CN "Microsoft Corporation"
thorugh anonymous telephone at Verisign.
- GeoTrust signed certain certificates with certain banks as OU names.
It was supposed to be an internal auditing, and now they're even proud
of their achievement. Guess what? They didn't change anything about
their verification mechanism.
- GeoTrust/Equifax signed a certificate on a domain name as CU and OU
mountain-america.net (notice the dash) for a small company in Salt Lake
City. Guess what? The real Mountain America credit union running the
real mountainamerica.net is in Salt Lake City as well. Everything was
verified by Visa, obviously just by location.
- Hell, even the infamous TCPA/TCG had a lot of trouble with certs.
Having the TCPA website running with the cert of the TCG website (TCG
was refounded from members of TCPA? I would guess they just renamed! Now
they even melted both websites together...), forgetting to renew the
cert... and they like to preach that our crypto keys are safe at them.
And would you trust "AOL/Time Warner" as a CA?
- » OT: An attempt to learn from a malicious attack by an internet cracker.
- — Previous thread in » General Computer Security