On Thu, Mar 24, 2011 at 09:22, Daniel Stenberg <[email protected]> wrote: > There's this incident that has been talked about the last couple of days > where "an attacker" managed to get several fraudulent SSL certificates for > public websites. > > Chrome and Firefox now both block these certificates explicitly. > > I assume there's reason for us to consider doing the same, to protect our > users who might use libcurl to access such sites. > > I'll appreciate feedback and ideas.
The fraudulent certificates have been revoked. I think it's probably better to check their revocation status through OCSP than it is to retroactively blacklist them. Incidents like this happen time and time again (though not often with such a high-profile CA) and a blacklist is likely going to be perpetually outdated, even more so when you take into account how much time it takes for upstream changes to make it into the distros. I don't think OpenSSL by default queries the revocation status (and I've no idea if the other SSL engines support this) but all the interesting bits are in <openssl/ocsp.h>. OCSP does add overhead (an extra HTTP request) and is susceptible to MITM attacks unless used properly. It should probably be combined with CRLs but that's another can of worms. ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
