[Cryptography] The EFF 650 CAs lie

Natanael natanael.l at gmail.com
Sun May 3 04:25:25 EDT 2020

Den sön 3 maj 2020 07:40 <jamesd at echeque.com> skrev:

> On 2020-05-01 03:49, Phillip Hallam-Baker wrote:
> > Oh yes and that business of me working for a 'for profit' CA. That has
> not
> > been true for well over a year. At this point it is now the EFF that is
> in
> > a position to profit greatly from the situation they helped create. Lets
> > Encrypt is probably worth in the region of half a billion dollars.
> >
> > Oh! Oh! people shout. But Lets Encrypt is 'not for profit'.
> LetsEncrypt made an excruciatingly painful process dead easy, and put
> control into the hands of those who should have control.
> LetsEncrypt deserves half a billion dollars.  The rest mostly deserve
> jail time.
> How does LetsEncrypt get that from providing a free service?
> The basic problem with certificates is that a very large number of
> entities can cook up a man in the middle certificate.  Have man in the
> middle certificates been observed in the wild?

A handful of instances of compromised certificates and erroneously issued
certificates being used maliciously in the wild has been discovered.

I think a major issue that makes detection hard is that we don't have
reliable means of tracking worldwide certificate use. Who exactly will
realize that the valid certificate for site X is being used by a server on
the wrong IP? What browser will be logging this and phoning back home about
what servers it saw using which certificates?

As for mistakenly issued certificates, a major part of the issue is that
the issuer often don't log them properly, so we don't see that much either.

These things are most often detected when somebody performs a broad scan
for certificates in use (rarely) or when somebody spots strange behavior in
their networks and tracks down the source of the traffic.

So we don't really know how widespread MITM with bad/stolen certs really

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20200503/7eefbc8c/attachment.htm>

More information about the cryptography mailing list