On Mon, Feb 6, 2012 at 9:52 PM, Steven Bellovin <[email protected]> wrote: > http://arstechnica.com/business/guides/2012/02/google-strips-chrome-of-ssl-revocation-checking.ars > > --Steve Bellovin, https://www.cs.columbia.edu/~smb
Interesting blog post on this topic by Adam Langley here: http://www.imperialviolet.org/2012/02/05/crlsets.html One question, though. Langley writes: "If the attacker is close to the server then online revocation checks can be effective, but an attacker close to the server can get certificates issued from many CAs and deploy different certificates as needed." Anyone follow this line of reasoning? _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
