Peter Eckersley <[email protected]> writes: >This seems consistent with Nadia Heninger's claim that these are exclusively >routers, VPN devices and other embedded systems:
The state of keys in routers and the like is pretty bad, pre-provisioned fixed keys shared across multiple devices, use of identical serial numbers and DNs (so browsers see it as an attack/cert-spoofing), done by a whole slew of vendors including Astaro, Cisco, Dell, Fortigate, Fujitsu Siemens, HP, Linksys, Sonicwall, Zimbra, and Zyxel, and a range of other horrors. It's so consistently bad that I've recommended for cert-consuming apps that if you see a completely broken cert coming from a device in the same subnet and/or on the default gateway then to ignore any problems since it's a normal state of affairs. Peter.
