[Cryptography] "Trust in digital certificate ecosystem eroding"

Christian Huitema huitema at huitema.net
Sat May 2 01:39:44 EDT 2015

> >to solve a problem that wasn't obvious about 20 years
> > ago when the system got introduced.
> I'm pretty sure this problem was obvious 20 years ago.

There have been attacks that hacked or abused CA privileges. But most of the attacks follow a simpler path -- tricking or convincing the user to add a particular CA to the root store of their device, or browser. Many corporations do that -- add the local firewall's certificate to the root store of corporate-owned machines, so they can break the encryption and encrypt the traffic at the firewall. Many schools will force a certificate like that on the student's computer, as a condition for using the school's network. Some ISP and hot spots are rumored to do it. 

There are of course technical solutions to detect the problem - CT, HPKP, various forms of pinning, etc. But the real issue is cultural. The practice will not stop until it is widely denounced.

-- Christian Huitema

More information about the cryptography mailing list