On Thu, Aug 1, 2013 at 12:52 AM, Jeremy Baron <[email protected]> wrote:
> On Thu, Aug 1, 2013 at 4:28 AM, Anthony <[email protected]> wrote: > > Does rapid key rotation in any way make a MITM attack less detectable? > > Presumably the NSA would have no problem getting a fraudulent certificate > > signed by DigiCert. > > I'm not seeing the relevance. And we have the SSL observatory (EFF) fwiw. > I fully admit that I don't understand exactly how SSL observatory works. I thought it detected when the key changes, so I was wondering whether rapidly rotating keys might thwart that. But again, I don't really understand how it works. So it wasn't a rhetorical question. We (society, standards making bodies, etc.) need to do more to reform > the current SSL mafia system. (i.e. it should be easier for a vendor > to remove a CA from a root store and we shouldn't have a situation > where many dozens of orgs all have the ability to sign certs valid for > any domain.) > In order to not be easily detected, the cert used by the MITM would need to be from the same CA as the usual one (DigiCert?). Or at least from someone who had obtained DigiCert's key. Or is my cluelessness about how SSL observatory works showing once again? _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
