[cryptography] After the dust settles -- what happens next? (v. Long)

Marsh Ray marsh at extendedsubset.com
Sun Sep 11 21:40:34 EDT 2011


On 09/11/2011 07:26 PM, Paul Hoffman wrote:
> Some of us observe a third, more likely
> approach: nothing significant happens due to this event. The
> "collapse of faith" is only among the security folks whose faith was
> never there in the first place. A week after the event, who was
> talking about it other than folks on these lists and lists like
> them?

The 300,00+ Iranians who were actively attacked and now have to change 
their password and are wondering if they'd said anything in Gmail to get 
them arrested and interrogated.

The unknown numbers of Chinese (and people in other countries) who were 
hoping a US product like Gmail could provide a censorship-free email 
service.

The Dutch IT people who have to replace the ~58,000 certs issued by 
DigiNotar PKIoverheid CA.
> http://www.techworld.com.au/article/400068/dutch_government_struggles_deal_diginotar_hack/

The management at Google who are likely scared as hell that the 
webmasters and security auditors of the 50% of major sites that source 
Javascript from https://google-analytics.com/ will realize that they 
would have been pwned too (and possibly been obligated to report it) had 
the attacker issued a cert for that. Who else thinks he probably will 
next time?

The people responsible for security at Amazon, PayPal, every other big 
retailer and the financial services companies that handle high-value 
accounts.

The governments and government contractors who depend on SSL VPNs with 
an in-band second factor of auth (like hardware token codes) to secure 
their remote access.

The attacker himself: https://twitter.com/#!/ichsunx2

The people who've generated the 367,772 views (so far) of Comodohacker's 
Pastebin texts:
http://pastebin.com/u/ComodoHacker

Slashdot and their bazillion subscribers are still talking about it as 
of yesterday:
http://it.slashdot.org/story/11/09/10/2129239/GlobalSign-Web-Server-Hacked-But-Not-CA

Who isn't talking about it really?

The full damage is not even out yet. This thing is just getting started.

Despite rumors to the contrary, there are, in fact, a great many 
influential people who do give a shit about the actual effective 
security delivered by SSL/TLS (beyond its ability to add an air of 
confidence to consumers' $50-liability-limit credit card transactions).

This time is not like the previous "SSL is broken again ho hum" bugs.

- Marsh



More information about the cryptography mailing list