Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSL Cert Revocation Lists?

Posted by ryuzaki0 on from the respect-mah-authoritah dept.

DA-MAN asks: "Browsers ship with a ton of different certificate authorities that provide 'trust' for secure sites that we visit. With all of these certificate authorities comes a certificate revocation list, which is to flag bad certs. Firefox, IE and Safari do not have an automated way to pull updated lists from all of the different certificate authorities, so one must download each CRL manually and import them into the browser. It occurred to me the other day that the only time I've ever seen this feature in use was when Microsoft inserted the CRL for a certificate that was mistakenly issued by Verisign with the "Microsoft Corporation" name. All that said, I was just wondering if anyone cares about this? Do you actually import updated CRL's into your browser? Why can't the CRL be signed by the Cert Authority and automatically imported?" What other browsers support automatic CRL updates?

3 of 59 comments (clear)

  1. Moot point by nagora · · Score: 2, Interesting
    The first thing I do with a browser is delete all the certificates and tell it to ask me on a case-by-case basis. Since I don't trust Verisign/Thawte at all the whole system is fairly worthless.

    At the end of the day, what has Verisign or anyone else ever done to deserve unquestioning trust from me, a person with no legal recourse to challenge their decisions about who to issue certificates to?

    TWW

    --
    "Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
    1. Re:Moot point by Lord+Ender · · Score: 2, Interesting

      Instead of jumping right to the tinfoil hat response, I'll give you a real reason to trust Verisign: It is in their financial best interest verify that they are giving certs to the right people. If they make too many mistakes, Microsoft might stop including them with Windows (due to customer demands).

      Reputation is everything in the cert industry. They won't want to lose it.

      --
      A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  2. Self-signed Certs by Anonymous Coward · · Score: 1, Interesting

    It's somewhat off topic, but I have a related question. If all you want to do is encrypt traffic, and don't really care about the extra warning dialog, is there any disadvantage to using self-signed certificates?