BLU Discuss list archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Discuss] root CA bloat
- Subject: [Discuss] root CA bloat
- From: bogstad at pobox.com (Bill Bogstad)
- Date: Sat, 22 Nov 2014 11:33:03 +0100
- In-reply-to: <546FE733.8070007@gmail.com>
- References: <546C4823.6060900@gmail.com> <BN3PR0401MB1204BAB10AE6249C54E4E81BDC760@BN3PR0401MB1204.namprd04.prod.outlook.com> <546D7B55.70903@gmail.com> <BN3PR0401MB1204E9F1CF304F6724855281DC760@BN3PR0401MB1204.namprd04.prod.outlook.com> <546FC87F.1090203@gmail.com> <546FE733.8070007@gmail.com>
On Sat, Nov 22, 2014 at 2:30 AM, Richard Pieri <richard.pieri at gmail.com> wrote: > On 11/21/2014 6:19 PM, Tom Metro wrote: >> >> Has anyone created an extension for Firefox that trims down the cert >> list to something like the top 50 cert providers? >... > It gets better. Do a whois lookup on google.com. Then do one for yahoo.com. > Now bing.com, microsoft.com, amazon.com, verizon.com, netflix.com, > apple.com, comcast.com, att.com. Hell, any major commercial service or > content provider. Chances are you'll see the same names: MarkMonitor and > Corporation Service Company. These two companies are top-level CAs that > control the DNS for most of the big-name players in the game. Which is to You are conflating DNS and Certificate Authorities. When I look at the certificate used for www.microsoft.com, it appears to be signed by Symantec via Verisign. In any case, controlling someone's DNS is not the same thing as being able to sign an SSL certificate that will be accepted. And is far as DNS is concerned, I don't see how you could do anything other then a world wide MITM attack via the whois entry because the whois database is not queried in realtime. While doable, I would expect it to be noticed. The important thing for actual DNS queries is the chain of recursive and authoritative DNS servers involved. If a DNS attacker is on your physical path to these servers, (or he manages to pollute the right DNS cache), attacks are relatively easy. If you are using DNSSEC (you probably aren't) then things get harder again. To be clear, I'm not saying that there aren't problems here. I'm just saying that whois data isn't the "game over" that you seem to be implying. Bill Bogstad
- Follow-Ups:
- [Discuss] root CA bloat
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] root CA bloat
- References:
- [Discuss] free SSL certs from the EFF
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] free SSL certs from the EFF
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] free SSL certs from the EFF
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] free SSL certs from the EFF
- From: blu at nedharvey.com (Edward Ned Harvey (blu))
- [Discuss] root CA bloat
- From: tmetro+blu at gmail.com (Tom Metro)
- [Discuss] root CA bloat
- From: richard.pieri at gmail.com (Richard Pieri)
- [Discuss] free SSL certs from the EFF
- Prev by Date: [Discuss] root CA bloat
- Next by Date: [Discuss] root CA bloat
- Previous by thread: [Discuss] root CA bloat
- Next by thread: [Discuss] root CA bloat
- Index(es):