On 24/03/11 10:09 -0400, Harald Koch wrote:
On 3/23/2011 11:05 PM, Martin Millnert wrote:
To my surprise, I did not see a mention in this community of the
latest proof of the complete failure of the SSL CA model to actually
do what it is supposed to: provide security, rather than a false sense
of security.
This story strikes me as a success - the certs were revoked
immediately, and it took a surprisingly short amount of time for
security fixes to appear all over the place.
The point is that the 'short amount of time' should have been zero (from
the time of the update of the CRL) which would have allowed an immediate
announcement of the revocation to the public, with sufficient details for
the public to make educated decisions about their internet usage.
But because the CRL publication did not facilitate that, due to whatever
deficiency there existed in the procotol or in browser implementations,
announcement had to be delayed, providing a small group of attackers a
larger window than necessary to compromise information.
--
Dan White
