Security by asking the drunk whether he's drunk

Jerry Leichter leichter at
Sat Dec 27 07:19:28 EST 2008

On Dec 26, 2008, at 2:39 AM, Peter Gutmann wrote:

> dan at writes:
>> I'm hoping this is just a single instance but it makes you remember  
>> that the
>> browser pre-trusted certificate authorities really needs to be  
>> cleaned up.
> Given the more or less complete failure of commercial PKI for both  
> SSL web
> browsing and code-signing (as evidenced by the multibillion-dollar  
> cybercrime
> industry freely doing all the things that SSL certs and code-signing  
> were
> supposed to prevent them from doing), it's not so much "cleaned up" as
> "replaced with something that may actually work"....
I just had an interesting experience with a different sort of  
failure:  I tried to buy a DVD from The Teaching Company ( 
).  When I went to check out - or even if when I connect to the top  
level at - I get a complaint that their cert  
is signed  by a unknown authority.  It turns out that they recently  
put an EV certificate in place.  It's issued by "VeriSign Class 3  
Extended Validation SSL SGC CA" - which neither Safari 3.2.1 nor  
Firefox 3.0.5 on my Mac have ever heard of!

I got in touch with the company and actually received intelligent  
responses both at their 800 number - I placed my order that way - and  
in a response from their customer service people.  Most remarkable -  
almost all organizations ignore such communication.  It's ironic that  
those who appear to be trying the hardest are being screwed over by  
the system that's currently in place - and will inadvertently be  
involved in training users to simply bypass yet another kind of bad  
cert warning.

(I can highly recommend the courses that The Teaching Company  
distributes, by the way.  I usually borrow them from the library, but  
I've bought a few of the best here and there - especially when they  
have sales, as they do right now.)

                                                         -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list