Rogue SSL Certs Issued For CIA, MI6, Mossad

Orome1 writes with this excerpt from Help Net Security: "The number of rogue SSL certificates issued by Dutch CA DigiNotar has ballooned from one to a couple dozen to over 250 to 531 in just a few days. As Jacob Appelbaum of the Tor project shared the full list of the rogue certificates, it became clear that fraudulent certificates for domains of a number of intelligence agencies from around the world were also issued during the CA's compromise — including the CIA, MI6 and Mossad. Additional targeted domains include Facebook, Yahoo!, Microsoft, Skype, Twitter, Tor, Wordpress and many others."

well managed self-signed certs are safer

[YesIAmAScript]

At least you know how many and which certs were issued from an authority that you run yourself.

The chain of trust is only as strong as the weakest link in the chain.

Draw the consequences

[jeti]

You can't trust the root CAs. The whole infrastructure is broken and needs to be replaced with something else.

For a start, webbrowsers should notify users if a certificate was replaced, even if the replacement is signed. And browsers shouldn't go into full panic mode over self-signed certs. They're still safer than using an unencrypted connection.

Re:F-secure has a partial list

[AVee]

I'm kind of perplexed by the *.*.com certificate, is there any use in having such a cert? Realistically there is no (legitimate) reason for such a certificate to exist. Is there any software around that will actually accept certificates which are that broad? I mean, if there ever is a clear giveaway for a MITM attack it would be a certificate like that.