The Spy in the Middle: Are SSL certificates even more broken than we thought?
Mar 25, 2010, 01:33 (0 Talkback[s])
(Other stories by Matt Blaze)
"A decade ago, I observed that commercial certificate
authorities protect you from anyone from whom they are unwilling to
take money. That turns out to be wrong; they don't even do
that.
"SSL certificates are the primary mechanism for ensuring that
secure web sites -- those displaying that reassuring "padlock" icon
in the address bar -- really are who they purport to be. In order
for your browser to display the padlock icon, a web site must first
present a "certificate", digitally signed by a trusted "root"
authority, that attests to its identity and encryption keys.
"Unfortunately, through a confluence of sloppy design, naked
commercial maneuvering, and bad user interfaces, today's web
browsers have evolved to accept certificates issued by a
surprisingly large number of root authorities, from tiny, obscure
businesses to various national governments. And a certificate from
any one of them is usually sufficient to bless any web connection
as being "secure"."
Complete
Story
Related Stories:
- SSH Warning: “Remote host identification has changed”: Error & Solution explained(Mar 12, 2010)
- StartSSL: a Certification Authority with a heart(Nov 03, 2009)
- Microsoft Adds Support for StartCom Certificates(Sep 25, 2009)
- SSL Flaw by (Browser) Design?(Jul 23, 2009)
- Securing a Revolution(Jun 30, 2009)
- Positive Indicators (Phishing Alerts in Firefox)(May 14, 2009)
- Attack on SSL Users Discovered, Tool Sources Released(Feb 25, 2009)
- Startcom Linux and SevenL Networks Joint Venture(Feb 03, 2009)
- SSL Certificate for Mozilla.com Issued Without Validation(Dec 24, 2008)
- MITM Attacks - Do They Really Happen?(Oct 18, 2008)
