On Wednesday, April 23, 2014 6:00:41 PM UTC-4, Eddy Nigg wrote: > I do have a few questions to you! How can you know that a site using a > certificate from ANY CA isn't or wasn't affected by the Heartbleed bug?
I'm planning on a more thorough answer that cross references the SSL observatory data from 2010 with a fresh update, and with published CRLs. One would expect that each CA would have about 17% of their issued certificates be revoked and re-keyed due to heartbleed. In a day or two I should have some stats. But meanwhile, there is no way for me to know how many pkeys out there have been leaked. Google and a couple others had advance notice of the bug and I would imagine they've scanned the internet before the bug was announced, and have a more comprehensive list of certificates at risk. Maybe someone from Google can chime in? I fully expect them to build a blacklist into the SafeBrowsing Chrome filter. As you well know, there is a sizeable number of admins that had the bug, and used a Startcom certificate, who are not planning on paying your fee. I have not heard of similar hardship from admins who use other providers' certificates. So it's fair to say, that the name Startcom will appear on a lot more compromised certificates, than the other guys names. I hope to update you in a few days with some stats from my investigation into SSL-Observatory vs. current CRL lists, but I can tell you now that I see some CAs that had an average of 20 revocations/day in March but have shot up to 300 revocations/day in April (ie, 15x increase). Startcom went from ~4 to ~22/day (5x increase). One would expect 17% of about 130k Startcom certs to be revoked due to heartbleed. (or a cool $500K, right?). However at the current rate of 22/day, 82% of the affected certificates will still be valid on their expiration day. > > Consider also that the presence of Startcom in this market is a barrier to > > entry to other, honest and potentially inexpensive CAs. > > No, it's not, otherwise StartCom would own 100% of the market share > which it doesn't. The offerings of StartCom suite certain users and > others not. Perhaps you are unaware of the competitive advantage you're currently enjoying. Regards, Radu Hociung _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
