CAs and other stuff

[eXtr33m]

They told us - nothing what is free can be good as paid, and yet they failed so much people could have been in danger. We can only hope that they will get the words of people that CA system is so shitty, highschooler could do better, but well as long as there is money in it i don't think they will give up easily..
http://www.theinquirer.net/inquirer/news/2106643/diginotar-hackers-targeted-cia-mossad-mi6

[SKracht]

meh when he released ComodoGate i thought like 'ok that smart little iranian guy stumbled about something huge, fine, but he is kind a narcissistic praisin himself and reactin to every line on twitter, idiot, will never hear of him again'.
But this one is dramatic, i read through the lists of domains and institutes that where/maybe compromised, wow.
I'm not so deeply into CAs and i stopped following his (religious) shit published on etherpads and twitter and so on but as far as i understand, the complete CA system and of course SSL are simply fucked, right? so is TOR than...
guess he made lots of money selling CA's for MITM's

[eXtr33m]

Well if he is a single guy is questionable: Only reported attack i've heard of is on Iranian citizens (about 300 000)..
http://www.pcworld.com/businesscenter/article/239534/comodo_hacker_claims_credit_for_diginotar_attack.html
Well afaik it works like this: you trust your Certificate "provider" which is mozilla/microsoft etc. They trust all the certificates issued by CA, selected by them. So until you do an update with deleted hacked CA, you still "trust" them. Yeah the thing is this is business so DigiNotar wasn't really talkative about the breach so it kinda fked up.. Well everything is "fine" if you have update

[natirips]

I never really understood how can anything be safe on the Internet to begin with since Internet and privacy are antonyms. Thus I personally see no reason to even try using encryption of any kind from the start.

[Crusher]

http://arstechnica.com/open-source/news ... -stack.ars

[SKracht]

That reminds me a bit of Dual_EC_DRBG =)

[natirips]

So my instincts that told me not to use BSD despite being a *nix fan were right.

[wurst]

so what do we learn from this?
- ssl sux the way its used by now.
- open source is bad cause its open source.
- not everything that looks like done by 1-2 college students is done by 1-2 college students.
great

@ssl certs
im still with the opinion that theres a mistake by design:
companies rule the certificates, not governments.
a companys goal is always making money. if theres a problem with that, it will try anything cause it dont wanna die...
it would be great if there would be encryption in general, no plain http anylonger. why dont we/they validate the server somehow else?

@topic: i didnt really understand how "he" did it.
can someone help me out? he went to where first?
i mean: u must do some in the DNS to get the client on ur faked site, but how do u get him to eat ur faked cert?
compromise thawte sounds like the very second unbelievable hard step for me, so they accept the

[natirips]

If you're talking to a fake/compromised certificate verification server how can you tell the difference between real and face certificate?


Oh, and apropos open source being bad "because it's open source", what makes you think closed source is any better/safer? Like you said, big companies would do anything for money, what makes big closed-source-making companies any different?


Internet is public. Period. That's why I don't use it for anything critically important.

[eXtr33m]

Like if the things weren't bad enough..
http://freerepublic.com/focus/f-chat/2781678/posts