[cryptography] fyi: The weakest link in the chain: Vulnerabilities in the SSL certificate authority system and what should be done about them
iang at iang.org
Wed Nov 23 04:42:27 EST 2011
On 23/11/11 11:11 AM, Peter Gutmann wrote:
> JeffH<Jeff.Hodges at KingsMountain.com> writes:
>> Of possible interest:
>> The weakest link in the chain: Vulnerabilities in the SSL certificate
>> authority system and what should be done about them
> It's not just NGOs that are seeing that browser PKI is "the weakest link in
> the chain". I was recently told of someone at a law workshop in which the
> topic of browser PKI and DigiNotar came up. In their words, "this was a
> roomful of people who couldn't tell you what SSL did, but they'd heard of
> DigiNotar". That's a level, and type, of exposure that you really don't want
> to get to.
Yeah. Up until now, PKI / secure browsing was tolerated. This
situation can be seen as an expectation or meme or myth in the market
place, where the belief was stable because there was no dis-confirming
information. E.g., no bad news.
Now we have bad news that acts to disconfirm the expectation that secure
browsing delivers some positive result. And, the CAs/vendors have no
good story to tell that would reverse the sense of the bad news.
So a plausible scenario now is that people who otherwise wouldn't care
("tolerate") and don't otherwise know, will start actively bypassing the
Another way of putting it is that in the past, people would use SSL
because secure browsing "is essential" without knowing why. Now, people
will avoid it, citing DigiNotar. Again without knowing why.
This is the problem with a system that doesn't deliver a result that can
be correlated to its claimed purpose. C.f. Dan Geer's comment.
To live in interesting times!
More information about the cryptography