On 06/21/2011 12:18 PM, Ian G wrote:
On 18/06/11 8:16 PM, Marsh Ray wrote:
On 06/18/2011 03:08 PM, slinky wrote:
.... But we know there are still hundreds of
"trusted" root CAs, many from governments, that will silently install
themselves into Windows at the request of any website. Some of these
even have code signing capabilities.
Hmmm... I'm currently working on a risk analysis of this sort of thing.
Can you say more about this threat scenario?
I did a blog post about it a while back: http://extendedsubset.com/?p=33
This was about the CNNIC situation, since then we've seen Tunisia MITM
its citizens and they have a national CA as well.
Basically, MS Windows has a list of "Trusted Root CAs". But the list
displayed there is actually just a subset of the CAs that are
effectively trusted. When you browse to a site with a CA not in this
list, Windows can contact Microsoft and on-the-fly add that cert to your
trusted root store. Innovative, huh?
- Marsh
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
