Slash Boxes

SoylentNews is people

posted by janrinok on Monday November 21, @04:38PM   Printer-friendly
from the one-at-the-time dept.

Last week Bruce Schneier published An Untrustworthy TLS Certificate in Browsers and now Ian Carroll has published Security concerns with the e-Tugra certificate authority.

Ian is best known for the death of the EV (Extended Validation) certificates. He legally registered a colliding entity name and then got an EV certificate for his site As this site is not online any more, a good write up of this is Extended Validation Certificates are (Really, Really) Dead by Troy Hunt.

Troy Hunt is also known for his website ';--have i been pwned?.

Schneier suggests that it might be time to disable / remove trust for the following Certificate Authorities (CAs):

  • TrustCor
  • E-Tugra

Cory Doctorow gives a very good explanation the the problem in general and its causes here. Basically, we are just too trusting and we believe that others are looking after our interests. It appears that they are not.

Original Submission

This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Interesting) by Anonymous Coward on Monday November 21, @06:46PM (2 children)

    by Anonymous Coward on Monday November 21, @06:46PM (#1280861)

    How can you trust the plug-in?

    People like you can go build your own computer, write your own compiler, OS, browser from scratch.

    In practice I'll have to trust something/someone at some point, trusting an extension which I can see the source code of is still better than trusting CAs just because Google/Microsoft says they're OK.

    When the CA themselves are corrupted (as the two that are mentioned are) then the whole system falls down.

    Your claim is false. Don't forget ssh works fine even without CAs.

    If my bank's server certificate has not changed, even if the CA that signed the cert has signed new certs that pretend to be that bank, it's not a big problem to me as long as the browser would warn me if the bank's cert has changed and the bank's cert has NOT changed.

    The whole system falls down only because the browser doesn't warn you of potentially important stuff that it can and should warn you about.

    By the way, browsers should accept self signed certificates too and in the way the SSH does - e.g. after you say it's OK it should stop bothering you about it BUT warn you if one day it changes. Then that way self-signed certs could be more secure than the current handling of CA signed certs.

    Starting Score:    0  points
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  

    Total Score:   2  
  • (Score: 3, Troll) by janrinok on Monday November 21, @07:02PM (1 child)

    by janrinok (52) Subscriber Badge on Monday November 21, @07:02PM (#1280864) Journal

    Your claim is false

    I thought so - you haven't read it.

    • (Score: 0) by Anonymous Coward on Monday November 21, @07:19PM

      by Anonymous Coward on Monday November 21, @07:19PM (#1280870)

      There's no need to. It's a rehash of old stuff long known (e.g. Reflections on Trusting Trust).

      I'm not aiming for perfect security, just better security. It's all a matter of managing risks and probabilities. Whatever I do I'd have to trust the browser and bank anyway if I want to do online banking.

      BUT if the browser makers do stuff right, while I still have to trust the browser and bank I don't have to trust that ALL the CAs have got their act together whenever I do online banking.

      The current system is it just takes one CA out of very many to do the wrong thing, but the browser won't warn you when that happens.