[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
Simon Waters wrote: > Looks like Equifax RapidSSL is the only one of significance. > > The owners of Equifax usually have a reissue policy - be interesting to > see if it applies here since presumably as soon as the CA's stop issuing > MD5 signed certificates the problem goes away (doesn't look like you > need to reissue the certificates themselves, just stop issuing new ones). > > That said the security provided by SSL is pretty limited, since one only > It might be very useful for preventing evesdroppers, including untrustworthy governments and private companies, finding out what is being transmitted. > needs control administrative emails for a domain for a short period to > obtain a valid SSL certificate. So great for ensuring the communication > is encrypted from browser to server, but of less value for ensuring the > server is who you thought it was. > > Which has always been the problem with the mechanism of certificate authorities as they currently exist. Especially given that in many cases they can't actually verify much in the first place. A problem with the way browsers handle things is that they might not give a warning in the case of a server certificate changing. Thus allowing a "Man in The Middle" attack where the intercepting party's certificate is signed by a "trusted CA".
Attachment:
signature.asc
Description: OpenPGP digital signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html