Irregular Expressions

Mar 29 2011   10:50PM GMT

What happens when the Certificate Authority system fails

Dan O'Connor Dan O'Connor Profile: Dan O'Connor

Bad things.

That’s what.

The story is that someone stole digital certificates for some big sites on March 15th using a username and password they obtained, the sites included Hotmail, Gmail, Yahoo and Skype.  On a scale of one to ten of a sites security issues this is more like an eleven.  The certificate is what proves you are you, if a clone of one of these sites was setup with the stolen certificate you could not prove it was a clone.  Now there is a system to deal with this in the CA system, there is something called a certificate revocation list, these certs are what the list sounds like, revoked.  But you need to keep them up to date, and yet still you need to have your browser actually tell you when you are at a site that has a revoked certificate.

Chrome had it’s updated in a couple of days, but FireFox and IE took seven and eight days.  The involved vendors were worried about responsible disclosure, really the only personal that benefited from the delay was the one who had the certs in their hands.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: