Security by asking the drunk whether he's drunk
Jerry Leichter
leichter at lrw.com
Sat Dec 27 07:19:28 EST 2008
On Dec 26, 2008, at 2:39 AM, Peter Gutmann wrote:
> dan at geer.org writes:
>
>> I'm hoping this is just a single instance but it makes you remember
>> that the
>> browser pre-trusted certificate authorities really needs to be
>> cleaned up.
>
> Given the more or less complete failure of commercial PKI for both
> SSL web
> browsing and code-signing (as evidenced by the multibillion-dollar
> cybercrime
> industry freely doing all the things that SSL certs and code-signing
> were
> supposed to prevent them from doing), it's not so much "cleaned up" as
> "replaced with something that may actually work"....
I just had an interesting experience with a different sort of
failure: I tried to buy a DVD from The Teaching Company (www.teach12.com
). When I went to check out - or even if when I connect to the top
level at https://www.teach12.com - I get a complaint that their cert
is signed by a unknown authority. It turns out that they recently
put an EV certificate in place. It's issued by "VeriSign Class 3
Extended Validation SSL SGC CA" - which neither Safari 3.2.1 nor
Firefox 3.0.5 on my Mac have ever heard of!
I got in touch with the company and actually received intelligent
responses both at their 800 number - I placed my order that way - and
in a response from their customer service people. Most remarkable -
almost all organizations ignore such communication. It's ironic that
those who appear to be trying the hardest are being screwed over by
the system that's currently in place - and will inadvertently be
involved in training users to simply bypass yet another kind of bad
cert warning.
(I can highly recommend the courses that The Teaching Company
distributes, by the way. I usually borrow them from the library, but
I've bought a few of the best here and there - especially when they
have sales, as they do right now.)
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list