It was Mozilla.com: http://www.sslshopper.com/article-ssl-certificate-for-mozilla.com-issued-without-validation.html
Juha-Matti Volker Tanger [[email protected]] wrote: > Hi! > > > The prevailing use of self-signed certs on the Internet basically > > destroys the usefulness of HTTPS, since it trains users to simply > > click "add exception" and ignore the scary warnings "because then I > > get the lock icon, which means I'm safe!" > [...] > > stop being so effing > > stingy and cough up the $70 for a certificate signed by a CA that is > > in the default trusted bundle of major browsers. > > Well, last month we saw reports that one of those "trusted" CAs (one of > those preinstalled-in-all-browsers one) signed certificates without > *any* check. The example chosen was MOZILLA.ORG (.com? not sure). Few > years ago there was the case of microsoft.com cert being signed to a > non-MS person. > > So training the users "lock = safe" or even "green lock = safe" is as > misleading as using self-signed certs. > > And as browsers usually do not check CRLs, there is no way preventing > the use of wrongfully signed certificates short of distributing a > "software update" (as was with the MS case). If browsers had a cert > cache and checked it similar to SSH, MitM-attacks would be much harder. > > > Bye > > Volker > > -- > > Volker Tanger http://www.wyae.de/volker.tanger/ > -------------------------------------------------- > [email protected] PGP Fingerprint > 378A 7DA7 4F20 C2F3 5BCC 8340 7424 6122 BB83 B8CB _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
