[cryptography] another cert failure

Jeffrey Walton noloader at gmail.com
Sat Jan 5 08:16:02 EST 2013


On Sat, Jan 5, 2013 at 7:55 AM, Ralph Holz <holz at net.in.tum.de> wrote:
> Hi,
>
> On 01/05/2013 12:29 PM, Ben Laurie wrote:
>> Unless all the people who saw it happened to be running Chrome, then
>> it seems quite likely it was used maliciously, surely?
>
> The problem is that there are many values that both "legitimately" and
> "maliciously" can take. Turktrust's argument seems to be that it was
> "legitimately" used for SSL interception on a firewall/proxy device.
>
> The SANs in the rogue certs that have been published seem to support
> that. Whether SSL interception is good or bad is, unfortunately, open to
> debate.
>
> That said - does Google currently hold more rogue certs than the ones
> published? Chrome has some other sites pinned, too - is there actually a
> list?
For certificates pinned in Android, you have to go to the AOSP source.
Unfortunately, there is no web interface to the source.

I don't know about Chrome in general.

Jeff



More information about the cryptography mailing list