Last week Bruce Schneier published An Untrustworthy TLS Certificate in Browsers and now Ian Carroll has published Security concerns with the e-Tugra certificate authority.
Ian is best known for the death of the EV (Extended Validation) certificates. He legally registered a colliding entity name and then got an EV certificate for his site stripe.ian.sh. As this site is not online any more, a good write up of this is Extended Validation Certificates are (Really, Really) Dead by Troy Hunt.
Troy Hunt is also known for his website ';--have i been pwned?.
Schneier suggests that it might be time to disable / remove trust for the following Certificate Authorities (CAs):
Cory Doctorow gives a very good explanation the the problem in general and its causes here. Basically, we are just too trusting and we believe that others are looking after our interests. It appears that they are not.
(Score: 0) by Anonymous Coward on Monday November 21 2022, @07:19PM
There's no need to. It's a rehash of old stuff long known (e.g. Reflections on Trusting Trust).
I'm not aiming for perfect security, just better security. It's all a matter of managing risks and probabilities. Whatever I do I'd have to trust the browser and bank anyway if I want to do online banking.
BUT if the browser makers do stuff right, while I still have to trust the browser and bank I don't have to trust that ALL the CAs have got their act together whenever I do online banking.
The current system is it just takes one CA out of very many to do the wrong thing, but the browser won't warn you when that happens.