Hi, Some pointers:
http://www.eff.org/observatory and http://events.ccc.de/2010/12/28/is-the-ssliverse-a-safe-place/ http://media.ccc.de/browse/congress/2010/27c3-4121-en-is_the_ssliverse_a_safe_place.html (video) "All major webbrowsers come with a list of CAs preinstalled they assume as trustworthy. Every website can be signed by any of these CAs, so no webbrowser would show a warning, if www.dod.gov would be signed by a Chinese certification authority or the Deutsche Telekom." "At Defcon 2010, we reported the initial findings of the SSL Observatory. That included thousands of valid "localhost" certificates, certificates with weak keys, CA certs sharing keys and with suspicious expiration dates, and the fact that there are approximately 650 organizations that can sign a certificate for any domain that will be trusted by modern desktop browsers, including some that you might regard as untrustworthy." -- BenoƮt Sibaud _______________________________________________ Discussion mailing list [email protected] https://mail.fsfeurope.org/mailman/listinfo/discussion
