On Wed, 2013-01-30 at 09:55 -0800, x z wrote: > @Nadim, I think breaking in a CA is a rather serious crime that GFW would > refrain from committing;
Unlike, say, breaking into the Tibetan government-in-exile, Google and hundreds of other companies? But surely there is a registrar in China that the Chinese government can simply "lean on", if not one that is directly controlled by the government. The reasons NOT to do a "real" SSL attack is that compromised CAs get removed from browsers' CA databases, which means you've just burned a valuable resource for a future attack. What interests me most about this attack is that command-line tools like git are much less prepared to deflect SSL attacks than a typical browser. Projects like git, mercurial, wget, curl, countless mail readers, and even Tor (!) don't have the resources and infrastructure to maintain their own CA databases. Instead, they rely on, and lag behind, the databases of projects like Mozilla. Most of these don't poll CRLs, do pinning, or the other deeper defenses that browsers are moving to. -- Mathematics is the supreme nostalgia of our time. -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
