Reply to post: The fix is just as bad

Oh my chord! Sennheiser hits bum note with major HTTPS certificate cock-up

djack

The fix is just as bad

Now the software relies on a key that only Sennheiser privately keeps a copy of.

So they've just appointed themselves as a root CA. Wait until that key leaks and...

What would be better in this case would be to generate a unique key on install. If it's only to authenticate 'localhost' then no-one else needs access to that key or to trust it. Plus if an attacker manages to steal a key off someone's installation, it will affect .. no-one else. If they have access to be stealing private keys, your system is already hosed without Sennheiser's help.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019