GlobalSign has suspended the publication of SSL certificates as a precaution in the wake of unverified claims by a hacker linked to attacks on Comodo and DigiNotar. The self-named Comodohacker used pastebin in March to claim responsibility for hacks against Comodo that allowed the publication of bogus SSL certificates. The …
Thwarted by the CEO?
The CEO of every CA should be chained to their desks to manually verify everything until they can prove their systems security. That'd encourage them to take security more seriously.
A responsible approach? How... novel...
I'm sure no one would have batted an eye-lid if they'd just stayed schtum and investigated in private.
"Every so often, the English shoot an admiral, to encourage the others."
Perhaps the browser makers having just assassinated one CA, will encourage better behaviour from the others for a while. I wonder if we could bring this policy to other badly performing corporate sectors? Although maybe I'm being unfair, and Global Sign would have been this good anyway.
However, it should be pointed out that governments round the world didn't bail out all the banks, but allowing a couple to go bust hasn't noticeably improved behaviour or attitudes in the rest.
But sometimes, a healthy fear of consequences can work wonders.
The claim appears to be roughly "I know your password, but I'm not telling.". How is anyone supposed to disprove that? Isn't this a FUD-based DoS attack on a CA who (particularly in the current climate) wants to be seen to be doing the right thing?
Actually, it's cleverer than that. It's "I know 4 people's passwords, but I'm not telling which".
If any CA's security is breached in the next few years, this genius can claim the credit.
Thus, his message is an informational null.
by way of interest
Around the end of last week globalsign's OCSP servers were having major issues. They claimed it was due to server upgrades, but maybe it was our friend here?
@by way of interest
...or maybe it was because of Lulzsec, or Iran, or China, or the CIA, or Google, or...
Just because you're paranoid doesn't mean they aren't out to get you.
problem in browser not "ca"
chain of trust is ... I trust browser .. browser trusts ca ... ca trusts anybody they like
Dont blame the ca ... blame the browser for gaily trusting a clearly untrustworthy ca
Blame yourself for trusting untrustworthy browsers ... although you have little chance except with ff plugins to find a trustworthy browser.