[cryptography] *.google.com certificate issued by DigiNotar

Peter Gutmann pgut001 at cs.auckland.ac.nz
Fri Sep 2 00:19:32 EDT 2011


[NB: CC'd to the randombit cryptography list, since this is an interesting
     point for discussion].

Ian G <iang at iang.org> writes:

>What we'll likely see now is a series of breaches at multiple levels to
>acquire and misuse certs.  We've seen compromises in the past, but what makes
>this new is that we have evidence of an aggressive attack using the cert.

I wonder if we're going to see something like the four-minute-mile phenomenon,
until Roger Bannister did it, it was thought to be impossible, but once he'd
proven it was possible an avalanche of others followed his lead.  So now that
we've had repeated public cases showing you can own a CA, will others follow?

(Two possible counterarguments: (1) For all we know this has been going on 
forever, but noone's ever noticed since the CAs, in some cases in collusion 
with the browser vendors, have kept quiet and hoped no-one would notice, and 
(2) Since the value provided by browser PKI is near zero, there's no point to 
owning a CA for commercial attackers, so few will bother apart from hackers 
showing off).

Peter.



More information about the cryptography mailing list