>And you have a clue for us on how to do that? >Kind regards >Philipp Kern
Some ideas that were proposed: 1) make use of the already existing openssl-blacklist infrastructure 2) drop the offending CA (this is already the third -publicly reported- incident specifically involving them) 3) take this as a cause to think boldly and start working on simplifying, consolidating and improving the TSL/SSL "mess" that currently exists on Linux. Mozilla welcomes for contribution in their ongoing discussion about "technical and policy changes" "surrounding authentication and security on the web": http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/ https://www.mozilla.org/about/forums/#dev-security-policy maybe something fruitful would come from a collaboration of some sorts. This probably wasn't the last incident of this sort. Here is the chance to prepare for the next one that might be a lot more damaging. If the goal is to protect users the action needs to be really swift, now it's too late anyway. As I see it, this particular incident doesn't warrant too much concern at this point. Any damage the attacker would have wanted to cause is already done. Given that the major browser vendors all reacted already (not sure about Apple and mobile though) it's no longer a very attractive attack vector. Also while I suppose some clients depending on ca-certificate handle confidential data concerning the hijacked domains it's not a very common user case outside the web-browser space. With this bug report I also want to give a heads up to users of ca-certificates who may not be aware of this issue. After all it's ultimately up to the user to decide whom to to trust and whom to not trust. The problematic certs can be manually removed.

