>And you have a clue for us on how to do that?

>Kind regards
>Philipp Kern

Some ideas that were proposed:

1) make use of the already existing openssl-blacklist infrastructure

2) drop the offending CA (this is already the third -publicly reported-
incident specifically involving them)

3) take this as a cause to think boldly and start working on
simplifying, consolidating and improving the TSL/SSL "mess" 
that currently exists on Linux. Mozilla welcomes for contribution in their
ongoing discussion about "technical and policy changes" "surrounding 
authentication and security on the web":
http://blog.mozilla.com/security/2011/03/25/comodo-certificate-issue-follow-up/
https://www.mozilla.org/about/forums/#dev-security-policy

maybe something fruitful would come from a collaboration of some sorts.


This probably wasn't the last incident of this sort. Here is the chance to
prepare for the next one that might be a lot more damaging.

If the goal is to protect users the action needs to be really swift, now
it's too late anyway.

As I see it, this particular incident doesn't warrant too much
concern at this point. Any damage the attacker would have wanted to cause
is already done. Given that the major browser vendors all reacted 
already (not sure about Apple and mobile though) it's no longer a very
attractive attack vector. Also while I suppose some clients depending on
ca-certificate handle confidential data concerning the hijacked domains
it's not a very common user case outside the web-browser space.

With this bug report I also want to give a heads up to users of ca-certificates
who may not be aware of this issue. After all it's ultimately up to the user
to decide whom to to trust and whom to not trust. The problematic certs
can be manually removed.
                                          

Reply via email to