Linked by HAL2001 on Tue 20th Sep 2011 21:48 UTC
Privacy, Security, Encryption After having its SSL and EVSSL certificates deemed untrustworthy by the most popular browsers, VASCO announced that DigiNotar, filed a voluntary bankruptcy petition and was declared bankrupt today. This is unsurprising, since a report issued by security audit firm Fox-IT, who has been hired to investigate the now notorious DigiNotar breach, revealed that things were far worse than we were led to believe.
Permalink for comment 490286
To read all comments associated with this story, please click here.
RE[2]: No big surprise here.
by Alfman on Thu 22nd Sep 2011 00:48 UTC in reply to "RE: No big surprise here."
Alfman
Member since:
2011-01-28

Wow, that is quite a stunning revelation.

The attackers could inject the malicious javascript payload into unencrypted traffic, and then command the browser to pound away at the HTTPS server sending known plaintexts for the attacker to analyze. This part is well known, but I'm quite shocked to hear that SSL is vulnerable to known plaintext attacks.

Given how they claim that the fixes break compatibility with all software running on millions of websites and web browsers anyways, this would be an excellent opportunity for software updates to include support for non-CA based authentication/encryption mechanisms.

Looking further down the line, it would be very nice if all traffic could be secured using the same infrastructure: SSH, email, http, vpn, voip, etc. When I punch in XYZ.com in any client, I should be automatically secured without the need to manually exchange keys.

Who today manually verifies SSH keys? How many people exchange their VPN keys through an unsecure source like email or an unverified SSH connection? We need an easier, more universal solution. And I think it's within reach, but the tricky part is getting a solution widely adopted.

Edited 2011-09-22 00:59 UTC

Reply Parent Score: 2