Slashdot Mirror

← Back to Stories (view on slashdot.org)

Do the SSL Watchmen Watch Themselves?

Posted by Soulskill on from the barbers-with-a-good-haircut dept.

StrongestLink writes "In an intriguing twist on the recent Comodo CA vulnerability discussed here last week, security researcher Mike Zusman today revealed that three days prior to StartCom's disclosure of a flaw in a Comodo reseller's registration process, he discovered and disclosed an authentication bypass flaw to StartCom in their own registration process that allowed an attacker to submit an authorized request for any domain. During a month which was marked by the continuing paradigm shift to SSL-verified holiday shopping, the Chain of Trust continues to run off the gears, and Bruce Schneier is even commenting publicly that SSL's site validation mission isn't even relevant. What lies ahead for the billion-dollar CA industry?"

3 of 171 comments (clear)

  1. Re:Sorry to go off-topic by chill · · Score: 4, Informative

    quis custodiet ipsos custodes

    Latin for "who will watch the watchers".

    --
    Learning HOW to think is more important than learning WHAT to think.
  2. Re:Nope. Government AND private companies by Znork · · Score: 2, Informative

    Sweden, Finland, Norway and Canada whose population density is lower than the US yet have higher broadband penetration seem to suggest that theory may not be entirely accurate.

  3. Re:Let governments handle SSL by Znork · · Score: 3, Informative

    without ever seeing your private key

    Why would they need your private key? As long as they can sign any key as being valid for being 'you' they can make their own signed public/private key pair purporting to be you and MITM any communications to you. To get around that you'd still need out-of-band exchanges of the keys in which case the government signing serves no purpose.

    In addition, the web of trust needs to be more configurable in any case.

    Without a doubt.