Eddy Nigg (StartCom Ltd.) wrote: > Yes, in case the attacker managed to get a copy of the previously used > and signed key. Not, in case the subscriber managed to change his cert > before.
Right. But I'm not going to bet against the possibility that there a bad guys even now downloading the public keys from as many SSL servers as they can find, so that they can later compare them with the weak keys. If they get a hit, they can impersonate that site from now until the time the cert expires. > I wouldn't like Mozilla to know which sites I'm visiting (including > non-public....and, eheeem all the others ;-) ) As Boris says, modifying NSS or Firefox to detect weak keys does not involve sending any data anywhere. Check the bug. Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
