Microsoft supporting tyrants?
bsibaud at april.org
Tue Mar 22 21:40:58 UTC 2011
"All major webbrowsers come with a list of CAs preinstalled they assume
as trustworthy. Every website can be signed by any of these CAs, so no
webbrowser would show a warning, if www.dod.gov would be signed by a
Chinese certification authority or the Deutsche Telekom."
"At Defcon 2010, we reported the initial findings of the SSL
Observatory. That included thousands of valid "localhost"
certificates, certificates with weak keys, CA certs sharing keys and
with suspicious expiration dates, and the fact that there are
approximately 650 organizations that can sign a certificate for any
domain that will be trusted by modern desktop browsers, including some
that you might regard as untrustworthy."
More information about the Discussion