On Wed, 9 Apr 2014, Klemens Baum wrote:
StartCom provides cheap and even free SSL certificates via the
StartSSL brand. However, certificates revoking cerificates requires a
US$ 24.90 fee [3]. This discourages responsible sysadmin procedure and
and will ensure many compromised certificates remain in use.
I don't believe that any browser or HTTPS client in Debian checks
revocations with hard failures if the CRL or OCSP responder is
unreachable, so I don't see how this is relevant for decisions regarding
Debian's default trust store. The certificate will (it seems) get reissued
for free with a new key, so the compromised certificate will not be in
use. And an attacker in a position to MITM is also in a position to
make the revocation useless:
https://news.ycombinator.com/item?id=7556909
https://www.imperialviolet.org/2012/02/05/crlsets.html
https://twitter.com/agl__/status/453602748601495553
Multiple commentors on the HN thread you link to imply that StartCom is
happy to reissue certs for free, but they charge for revocations, for
instance: "The title is misleading. StartCom is asking for its fee for
revoking, that's all. Not making revocation free of cost isn't refusal to
reissue cert."
If they were charging for reissues, there might be an argument here, but
even if they didn't do revocations at all, I don't see how that affects
security under the threat model used by the Debian packages that use on
ca-certificates.
As a consequence you can't trust certificates signed by StartCom before
2014-04-07.
This only affects certs that were used on vulnerable versions of OpenSSL
with allocation schemes that actually loaded the private key into freed
memory that could be returned. I haven't seen a valid claim that this is
anywhere near a significant fraction of the web.
http://blog.erratasec.com/2014/04/why-heartbleed-doesnt-leak-private-key.html
https://twitter.com/neelmehta/status/453625474879471616
--
Geoffrey Thomas
https://ldpreload.com
geo...@ldpreload.com
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org