On Sun, Nov 17, 2013 at 8:03 PM, Masataka Ohta <
mohta(_at_)necom830(_dot_)hpcl(_dot_)titech(_dot_)ac(_dot_)jp> wrote:
Phillip Hallam-Baker wrote:
The four most widely used browsers are all produced by US companies.
Open source helps a lot.
Not unless you compile your browser from source and verify the source each
time you compile. They have demonstrated an ability to hide compromise
pretty well.
Anyway, that does not answer my question of:
Why do you insist on counting the number of Angels when just one
fallen one is a lot more than enough?
If you posit an attack against the US CAs you must also accept that the
NSA
could make the same threats against the browser providers which would
have
the same effect with far less risk of being caught and far fewer
consequences to being caught.
It does not deny my point that PKI is no better than DH.
You are conflating the possibility of an attack with the certainty of an
attack succeeding.
If the NSA was to coerce a CA into issuing a false certificate I would
imagine their lawyers would point out to the court that doing so would
threaten the stability of the entire Internet economy and that if
discovered the CA would lose its business.
Could you explain why google, apple, microsoft etc. did not behave so?
Subpoenaing the software providers and the CAs are two different issues.
Google could not credibly claim that its business would be destroyed if
PRISM was exposed but Symantec could and would make the claim that they
would lose a business unit they paid $1.2 billion for.
Issuing a bogus certificate is a very visible event. The NSA is very risk
averse when it comes to actions that are likely to be exposed.
--
Website: http://hallambaker.com/