Microsoft supporting tyrants?

• Previous message (by thread): Microsoft supporting tyrants?
• Next message (by thread): CA safety (Re: Microsoft supporting tyrants?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Some pointers:

http://www.eff.org/observatory
and
http://events.ccc.de/2010/12/28/is-the-ssliverse-a-safe-place/
http://media.ccc.de/browse/congress/2010/27c3-4121-en-is_the_ssliverse_a_safe_place.html (video)

"All major webbrowsers come with a list of CAs preinstalled they assume
as trustworthy. Every website can be signed by any of these CAs, so no
webbrowser would show a warning, if www.dod.gov would be signed by a
Chinese certification authority or the Deutsche Telekom."

"At Defcon 2010, we reported the initial findings of the SSL
Observatory. That included thousands of valid "localhost"
certificates, certificates with weak keys, CA certs sharing keys and
with suspicious expiration dates, and the fact that there are
approximately 650 organizations that can sign a certificate for any
domain that will be trusted by modern desktop browsers, including some
that you might regard as untrustworthy."


-- 
Benoît Sibaud

• Previous message (by thread): Microsoft supporting tyrants?
• Next message (by thread): CA safety (Re: Microsoft supporting tyrants?)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]