[liberationtech] Another CA Compromise: TurkTrust

Another CA has been found issuing SSL certificates for Google services. Mozilla has acted on the issue: https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/ The weird thing is that it's starting to appear less and less crazy to just get rid of the CA system and

Re: [liberationtech] Another CA Compromise: TurkTrust

..on Fri, Jan 04, 2013 at 03:09:41AM +0200, Nadim Kobeissi wrote: > Another CA has been found issuing SSL certificates for Google services. > Mozilla has acted on the issue: > https://blog.mozilla.org/security/2013/01/03/revoking-trust-in-two-turktrust-certficates/ > > The weird thing is that it's

Re: [liberationtech] Another CA Compromise: TurkTrust

TURKTRUST posted more details on Mozilla's security dev group. I'll also copy my comment on Google's announcement here: The conclusion of the post notes that Google "may also decide to take additional action after further discussion and careful consideration," which to me hints that the Chrome tea

Re: [liberationtech] Another CA Compromise: TurkTrust

Honestly, a full and transparent audit of all CAs and vendors would be better. If every CA had to list which sites it had issued certificates for, a few dozen would probably shake out with fake certs for Google or Apple. I don't think Convergence is the solution, unfortunately. ~Griffin On Thu,

Re: [liberationtech] Another CA Compromise: TurkTrust

Nadim, I think its about time to have CA´s be peer accredited institutes (EFF/tor/access now/my brother´s sister´s cousin/ whoever) issuing free or at least at cost certs. That being said, I don´t think certs are very good at preventing mitm anyway, that might be the case if a majority of users wo

Re: [liberationtech] Another CA Compromise: TurkTrust

On Thu, Jan 3, 2013 at 5:26 PM, Ruben Bloemgarten wrote: > "you don´t know who I am, but only we know what we´re telling each other." So essentially you and Nadim are arguing that, since CAs fail some of the time, we should get rid of the whole system and end up in the same position -- where th

Re: [liberationtech] Another CA Compromise: TurkTrust

One point: Most of the Iranian banks have bought SSL certification from TurkTrust. Sent from my iPhone On 4 Jan 2013, at 01:41, Collin Anderson wrote: > On Thu, Jan 3, 2013 at 5:26 PM, Ruben Bloemgarten wrote: >> "you don´t know who I am, but only we know what we´re telling each other." > >

Re: [liberationtech] Another CA Compromise: TurkTrust

On 01/04/2013 02:41 AM, Collin Anderson wrote: > On Thu, Jan 3, 2013 at 5:26 PM, Ruben Bloemgarten > wrote: > > "you don´t know who I am, but only we know what we´re telling each > other." > > > So essentially you and Nadim are arguing that, since CAs fail some

Re: [liberationtech] Another CA Compromise: TurkTrust

On 01/04/2013 02:45 AM, Amin Sabeti wrote: > One point: Most of the Iranian banks have bought SSL certification from > TurkTrust. Indeed. And one of the solutions that Mozilla is considering is to limit Turktrust do .tr and .ir, by using the name extension in X.509. Ralph -- Ralph Holz Network

Re: [liberationtech] Another CA Compromise: TurkTrust

I've checked some of the Iranian banks' SSL and found at least two of them have changed the CA from TurkTrust to WoSign, Inc. in the US. A On 4 January 2013 10:09, Ralph Holz wrote: > On 01/04/2013 02:45 AM, Amin Sabeti wrote: > > One point: Most of the Iranian banks have bought SSL certificati