On Fri, Nov 15, 2013 at 8:55 PM, Randy Bush <randy@xxxxxxx> wrote:
ted, great post.
two things i might further stress.
encrypting as much as reasonably possible spreads the cash of the
pervasive passive attcker.
there may be 600+ 'trusted' CAs. but what is actually used is a bit
surprising
"Analysis of the HTTPS Certificate Ecosystem",
Z. Durumeric, J. Kasten, M. Bailey, J.A. Halderman (University of
Michigan)
http://conferences.sigcomm.org/imc/2013/papers/imc257-durumericAemb.pdf
fix needed here.
randy
Actually as has been demonstrated repeatedly, the EFF has been deceptive bordering on outright dishonesty about the 600 CAs. Over 300 of what they identified as separate CAs are all run by a single organization that hands out certs to educational institutions in Germany. There is only one CA with separate intermediate certs for each institution. At least 200 of the other certificates they identify as 'CAs' have a similar origin.
What the EFF study measured was Certificate signing certs where the issuer and the subject are different parties. That does not make them a CA with authority to issue any cert for any web site. As has been confirmed in the case of the German CA, and as the EFF could and should have checked themselves, the German CA maintains full control of all the signing keys.
The EFF people could have checked this out very easily and despite admitting that they can't support the claim in private refuse to make a public correction. Which I think really damages their credibility. It is the Fox News approach to lobbying.
--
Website: http://hallambaker.com/
The fact is that there is no way to measure what they are trying to measure by looking at the issued certificates. Issuing an inaccurate figure and then refusing to correct it is not acceptable.
Website: http://hallambaker.com/