Incredible. I added the incident to https://wiki.thc.org/ssl#OtherIncidents
Also updated https://wiki.thc.org/ssl#BrowserManufactureFailedUs And while at it https://wiki.thc.org/ssl#EtisalatBreach (which is a prime example of a Bad Player who we are all forced to trust). The posting mentions "[..] we are carefully considering what additional actions may be necessary." Are there any details available? Is anyone doing an investigation? Will there be more public information available? Seth: great work. Thanks. regards, skyper On Sat, Dec 7, 2013 at 10:05 PM, Seth Schoen <sch...@eff.org> wrote: > > http://googleonlinesecurity.blogspot.com/2013/12/further-improving-digital-certificate.html > > They caught it with pinning. I wonder if we have a sample; it sounds > like it was an extremely small-scale attack (a single organization got > an intermediate chaining to a publicly-trusted root in order to spy on > employees with its firewall?). If that was the entire scope of it, > it's relatively unlikely that anyone in that organization is sending > observations to us, maybe depending on how large the organization is > and whether they prevent desktop users from installing third-party > software. > > -- > Seth Schoen <sch...@eff.org> > Senior Staff Technologist https://www.eff.org/ > Electronic Frontier Foundation https://www.eff.org/join > 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 >