Linked by Thom Holwerda on Mon 5th Sep 2011 22:26 UTC
Privacy, Security, Encryption So, people from within Iran have hacked the Dutch company DigiNotar, allowing them to issue fake certificates so they could listen in on Iranian dissidents and other organisation within Iran. This is a very simplified version of the story, since it's all quite complicated and I honestly don't even understand all of it. In any case, DigiNotar detected the intrusion July 19, but didn't really do anything with it until it all blew up in their face this past week. Now, the Dutch government has taken over operational management of DigiNotar... But as a Dutch citizen, that doesn't really fill me with confidence, because, well - whenever the Dutch government does anything even remotely related to IT technology, they mess it up. And mess it up bad.
Permalink for comment 488661
To read all comments associated with this story, please click here.
Member since:

Bill Shooter of Bul,

"Given the current system that we have, the best bet is to restrict the number of CA's that you trust."

Well yes, but that only applies to what you can control. There are problems with managing CA's personally:

1. As a website owner, your choice of CAs doesn't increase your security. The authentication of your website is validated by the list of CAs in your user's web browsers.

2. As a user, it's reasonable to want to trust only specific CAs where I can attest to their security. However in reality real websites will use CAs who's security I cannot attest to. So, this may not be an option.

2b. Obviously you're talking about blacklisting a select group rather than whitelisting a select group. But the problem remains that you are trusting CAs who's security procedures haven't really been attested to and could in fact be as bad as DigiNotar.

I'm not even sure how bad DigiNotar's procedures actually were. All CAs are vulnerable to things like zero day exploits and disgruntled employees even when they do follow best practices.

Reply Parent Score: 2