Opera users
automatically protected no application update needed.
http://my.opera.com/securitygroup/blog/2011/08/30/when-certificate-authorities-are-hacked-2
The hack attack that minted a fraudulent authentication credential for Google.com may have affected hundreds of other websites, a review of source code for Google's Chromium browser suggests. A side-by-side review comparing code contained in an upcoming version of Chrome increased the number of secure sockets layer certificates …
then Opera can also turn off the entire CA without users needing to download anything either... No rash and rushed updates like Chrome and Firefox that ***MIGHT*** catch all the bad certs, and if not another update tomorrow that ****MIGHT** catch a few more...
The point is, yes Opera is revocation based, but it also the ONLY browser that downgrades the cert if there is a blocked revocation URL
"Some browsers will present a site as secure if the revocation URL is blocked,
Opera will downgrade the security level of the site to the same as any other regular web page in such unverified cases, which means that once a certificate is revoked by the issuer, it cannot be abused in Opera, even if the revocation URL is blocked. The most an attacker can do, is the same as he could without a certificate."
WOW! so basically the difference between firefox and opera is that in firefox if it gets the revocation list it will warn you and get you to jump through hoops to access the site, and in opera it will just not change the icon next to the URL!
that's amazing and will obviously really help normal users!
They know they've been hacked, but they refuse to give a full list of what fake certificates have been issued? Then untrusting all certificates issued by them is the only safe option.
Tough luck on them - letting themselves be hacked is incompetent, but letting known fake certificates circulate is grossly irresponsible.
The interesting bit is the Chromium list, what are the over 200 certificates for?! It's more than even the DigiNotar revoked themselves.
Browsers should have treated OCSP or CRL failure as certificate revoked for a long time already, it's not like the CAs don't have the money to run servers...
The CA's are already running servers, but users are too impatient to wait for the browser to check every certificate in the chain and therefore, by default, most browsers disable this checking.
Does this does mean is that instead of using a website to check my installed ssl certificates, I can just use Opera? If so, that will save me quite a bit of hassle.