IP: SSL Certificate "Monopoly" Bears Financial Fruit
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Jul 10 23:17:52 EDT 2002
jamesd at echeque.com writes:
>On 6 Jul 2002 at 9:33, R. A. Hettinga wrote:
>>Thawte has now announced a round of major price increases. New
>>cert prices appear to have almost doubled, and renewals have
>>increased more than 50%. While Thawte proclaims this is their
>>first price increase in five years, this comes at a time when we
>>should be seeing *increased* competition and *lower* prices for
>>such virtual products, not such price increases. But of course,
>>in an effective monopoly environment, it's your way or the
>>highway, so this should have been entirely expected.
>
>IE comes preloaded with about 34 root certificate authorities, and it is easy
>for the end user to add more, to add more in batches. Anyone can coerce open
>SSL to generate any certificates he pleases, with some work.
Both Netscape 6 and MSIE 5 contain ~100 built-in, automatically-trusted CA
certs.
* Certs with 512-bit keys.
* Certs with 40-year lifetimes.
* Certs from organisations you've never heard of before ("Honest Joe's Used
Cars and Certificates").
* Certs from CAs with unmaintained/moribund websites ("404.notfound.com").
These certs are what controls access to your machine (ActiveX, Java, install-
on-demand, etc etc).
* It takes 600-700 mouse clicks to disable these certs to leave only CAs you
really trust.
(The above information was taken from "A rant about SSL, oder: die grosse
Sicherheitsillusion" by Matthias Bruestle, presented at the KNF-Kongress
2002).
>Why is not someone else issuing certificates?
How many more do you need?
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list