On Tue, Dec 23, 2008 at 8:47 AM, Roc Admin <onionrou...@gmail.com> wrote: > ... receive a completely valid certificate for a random domain > of his choosing without any questions or verification. > ... the browser pre-trusted certificate authorities > really needs to be cleaned up.
this is why i am fond of the petname toolbar to identify server certificates using local trust information rather than assuming any cert signed by any of the dozens of random CA's bundled with Firefox is legit: https://addons.mozilla.org/en-US/firefox/addon/957 for other applications that use system or application CA certificate stores you've got fewer options. if you're really concerned you can extract the few roots you trust into a new certificate store and tell the app in question to validate against those CA's only. supposedly extended validation certs will restore trust in the PKI hierarchy, but i'm not holding my breath... *grin* best regards,
