[kwlug-disc] Blue Coat
Raymond Chen
raymondchen625 at gmail.com
Mon May 30 10:40:57 EDT 2016
This will keep happening. Remember the news that China got caught by
Google Chrome forging certificates:
http://www.tomshardware.com/news/google-bans-cnnic-root-ca,28873.html.
I think Microsoft removed that CA too, more quietly I think.
On Sun, May 29, 2016 at 3:45 PM, Hubert Chathi <hubert at uhoreg.ca> wrote:
> On Sat, 28 May 2016 21:34:44 -0400, "B.S." <bs27975.2 at gmail.com> said:
>
>> However ... if that first cert fetch came from one of these
>> untrustworthy CA intermediaries - has one accomplished anything?
>
> Yes, that's absolutely right. Pinning, and other "trust on first use"
> (TOFU)-like schemes operate under the assumption that an attacker is not
> doing long-term surviellance, in which case, either your first contact
> with a site is prior to the attack, or that future interactions will be
> after the attack is done, at which point you will notice the key change
> and realize that something fishy happened.
>
> So it's not perfect, but it's a slight improvement since it limits what
> kind of attack you are vulnerable to and/or who is able to attack you.
>
>
> _______________________________________________
> kwlug-disc mailing list
> kwlug-disc at kwlug.org
> http://kwlug.org/mailman/listinfo/kwlug-disc_kwlug.org
>
More information about the kwlug-disc
mailing list