[cryptography] Symantec gets it wrong

Adam Back adam at cypherspace.org
Thu Sep 8 14:53:38 EDT 2011


I agree - if your bargain basement $15 site CA gets hacked and delisted,
just buy another cert from the next in line for $20 and install it on your
server.  Problem solved.  Your only cost is replacing your cert between when
the problem is announced and hopefully before the delisting kicks in.  I bet
people are thinking this is a rare enough event even yet to not worry about
risk if tiny chance of a few mins of blacklisting.

Anyone with a sizeable business and any moderate number of employees and few
a certs wont worry about $15 vs $100 that the larger CAs may charge anyway
and may opt for the marginal professionalism feel from a more well known CA
at the cost.

Either way you're still at the same risk of MITM whichever CA you use as was
said.

btw Massive kudos to the comodo hacker if his 'sploits are accurately
bragged, favor he did the SSL/PKI community indeed.  There were multiple
files posted as trophies so I presume people have verified.

Adam

On Thu, Sep 08, 2011 at 08:16:07PM +0200, Ralph Holz wrote:
>However, what I meant is that the blog entry ignores the fact that as
>long as there is a weakest link in the root store, protection of your
>domain certification is exactly as strong as that weakest link. Sure,
>you can go to VeriSign to get a certificate, but it won't help you if
>DigiNotar is hacked afterwards and certificates for your domain issued.
>
>I am no good at predicting customer behaviour, but why should customers
>opt for the more expensive solution then?



More information about the cryptography mailing list