Boris Zbarsky: > > But the MITM attacker could use it to impersonate the site, which is the whole > point. >
Yes, in case the attacker managed to get a copy of the previously used and signed key. Not, in case the subscriber managed to change his cert before. >>> - Modify NSS/Firefox to detect weak sites >>> >> I would cite privacy concerns with such a scenario. >> > > Like what? > I wouldn't like Mozilla to know which sites I'm visiting (including non-public....and, eheeem all the others ;-) ) >> How do you intend to find them? >> > > web-crawlers are not exactly rocket science. Nope, but needs quite some resources in order to receive some valuable results within reasonable time. > So the real question is: given an SSL handshake, how does one tell whether > the site is vulnerable? I believe > there are ways to detect this, based on other mails I've seen going through. > Yes, certainly, but even this might require quite some CPU cycles. >> And what if a CA refuses to comment or provide this information? >> > > Provide what information? Whatever they decided to do in respect of this threat. > If there is a list of vulnerable sites, there is a > corresponding list of CAs, since the site certificate says who the CA is. > Correct, but it's a big if for now. >> Again, see above that this makes only sense if an affected site owner >> would refuse to replace the certificate because of somebody detected a >> weak key. >> > > Again, I don't think that's correct. > Well, actually the Debian folks are rather security conscious...in relation to that they are also the ones preferring Icewiesel and Cacert because it ain't free enough, with purified openssl for the topping ;-) > > That's the perspective of the CAs (including yourself), sure. We know that > already. > > I had no clue what other CAs decided in that respect and I offered our estimates and decisions on this subject. That's not something coordinated. I'm open to suggestions as always. -- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security