Show Navigation
Conversation
Notices
-
Bye bye Startssl/start.com http://www.securityweek.com/startcom-ca-shut-down-after-ban-browser-vendors
-
This makes a number of excellent illustrations of why the entire PKI system is broken. 1) Browser vendors wield power out of all proportion to their contribution to PKI. The same SSL certs banned by browsers can also be used for e-mail, XMPP, PBXes, &c. 2) A rogue Certficate Authority can poison the entire PKI with falsely issued certificates. Yes, there exists OCSP to ensure a cert doesn't change, but a) some major websites change their certs frequently (hello, Google!), and b)Trust On First Use could still trust the bogus cert if it gets seen before the legit cert.