DigiNotar Security Incident (Certificate)

[Agoonie]

It looks like it is time to check your browsers for this cert.  Many are suggesting on your *nix boxes to use:

cd /etc/ssl/certs/
rm DigiNotar_Root_CA.pem

It seems like SSL is really getting hit these days.  And I do not think EV-SSL certs are going to save the day...


http://www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx

[cd1zz]

Its kind of a broken system. Moxie has great talks on this. If you allow just about anyone to be a CA or if you're a CA and have shitty security practices, then it ruins the integrity of the entire system. If we cant count on CAs to provide valid certs to legit companies then what good is it? At least the communication channel is encrypted.

[lorddicranius]

Moxie introduced his alternative for the current CA structure this year at BlackHat/DEFCON:

http://convergence.io/index.html

Has anybody had a chance to check it out?

I just came across this via Twitter: http://codereview.chromium.org/7791032/diff/2001/net/base/x509_certificate.cc

[Agoonie]

Its kind of a broken system. Moxie has great talks on this. If you allow just about anyone to be a CA or if you're a CA and have shitty security practices, then it ruins the integrity of the entire system. If we cant count on CAs to provide valid certs to legit companies then what good is it? At least the communication channel is encrypted.

I remember that especially when he released sslstrip.  I just knew it was only a matter of time after that.  I guess a broken system on its way to being crushed.  But it will be interesting to see alternatives implemented.  I remember being at a talk by Marcus Ranum and he wanted to change AV since that has been defeated, crushed and left for dead.  He had some good interesting ideas of changing the "already too late" paradigm.  But we will see.  I know we need to have something or more dark days ahead. 

Moxie introduced his alternative for the current CA structure this year at BlackHat/DEFCON:

http://convergence.io/index.html

Has anybody had a chance to check it out?

I just came across this via Twitter: http://codereview.chromium.org/7791032/diff/2001/net/base/x509_certificate.cc

I am checking that out now.  Thanks for the links!

[j0rDy]

be aware: Diginotar just revealed that there might me more certificates given out to the wrong people. Funny detail: the whole Dutch government has Diginotar certs, including sites to do taxes etc.

[3xban]

It all comes down to cost, suddenly paying a couple hundred dollars a year for a cert may not be so bad (Verisign).  All these other companies charge pennies in comparison.  I would say if you are any major player on the web then you are better off with a higher end CA for your site certs.  If anything if they get breached, you can get them for more damages. :-p  But seriously, companies want to save money so the $70 cert is much more attractive than the $600 cert.  You get what you pay for. 

Might as well install your own CA and just use self signed

[lorddicranius]

Here's a vid of Moxie's preso at BlackHat this year entitled "SSL and the Future of Authenticity"

http://www.youtube.com/watch?v=Z7Wl2FW2TcA

It's a great video, really funny and informative.

[j0rDy]

Might as well install your own CA and just use self signed

there you go, problem fixed