On Fri, Nov 15, 2013 at 8:55 PM, Randy Bush <randy(_at_)psg(_dot_)com> wrote:
ted, great post.
two things i might further stress.
encrypting as much as reasonably possible spreads the cash of the
pervasive passive attcker.
there may be 600+ 'trusted' CAs. but what is actually used is a bit
surprising
"Analysis of the HTTPS Certificate Ecosystem",
Z. Durumeric, J. Kasten, M. Bailey, J.A. Halderman (University of
Michigan)
http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
fix needed here.
randy
Actually as has been demonstrated repeatedly, the EFF has been deceptive
bordering on outright dishonesty about the 600 CAs. Over 300 of what they
identified as separate CAs are all run by a single organization that hands
out certs to educational institutions in Germany. There is only one CA with
separate intermediate certs for each institution. At least 200 of the other
certificates they identify as 'CAs' have a similar origin.
What the EFF study measured was Certificate signing certs where the issuer
and the subject are different parties. That does not make them a CA with
authority to issue any cert for any web site. As has been confirmed in the
case of the German CA, and as the EFF could and should have checked
themselves, the German CA maintains full control of all the signing keys.
The EFF people could have checked this out very easily and despite
admitting that they can't support the claim in private refuse to make a
public correction. Which I think really damages their credibility. It is
the Fox News approach to lobbying.
The fact is that there is no way to measure what they are trying to measure
by looking at the issued certificates. Issuing an inaccurate figure and
then refusing to correct it is not acceptable.
--
Website: http://hallambaker.com/