Steinar, On Sun, Sep 11, 2011 at 8:12 PM, <sth...@nethelp.no> wrote: >> To pop up the stack a bit it's the fact that an organization willing to >> behave in that fashion was in my list of CA certs in the first place. >> Yes they're blackballed now, better late than never I suppose. What does >> that say about the potential for other CAs to behave in such a fashion? > > I'd say we have every reason to believe that something similar *will* > happen again :-(
Something similar, including use of purchased (not only limited to stolen certs), is ongoing already, all of the time. (I had a fellow IRC-chat-friend report from a certain very western-allied middle eastern country that there's ISP/state-scale SSL-MITM ongoing there, for all https traffic.) The comment on starting out with an empty /etc/ssl is valid. Most of the normally included CA's you almost never run into on the wild web anyway. There were some blog postings about this last time a CA was busted. Shave off 90% of them and you have at least come a bit on the way (goal 100%). The absence of proof is *not* proof of absence, and in this particular case it's pretty safe to assume some abuse is ongoing somewhere, 24/7. Cheers, Martin