There is a bug report requesting the installation of another root CA for Honest Achmed’s Used Cars and Certificates with the purpose of: “The purpose of this certificate is to allow Honest Achmed to sell bucketloads of other certificates and make a lot of money.” In response to Mozilla’s CA practices? “Honest Achmed promises to abide by these practices. If he’s found not to abide by them, he’ll claim it was a one-off slip-up in procedures and that policies have been changed to ensure that it doesn’t happen again. If it does happen again, he’ll blame it on one of his uncles or maybe his cousin, who still owes him some money for getting the car fixed.” Nice, now, I’m not sure why it was denied, as it seems just as legit of a practice as any of the other CA’s, but Achmed is at least honest about itâ¦
There seems to be a lot of swirl about SSL these days. From Moxies article to this one, I hope there is some sort of critical move as a community being reached that will start to get us thinking about how we are going to begin fixing this system. After all, it was a system that was thrown together by the fine folks at Netscape, but it is starting to see some strain. There have been a number of attacks against the implementation of the protocol and the people who run the CAs. Although, while it is fun to stand up and say this protocol is insecure and something needs to be done, look at the other protocols we depend on. ARP is still a huge security nightmare and has been for years. Sure, Dan found a massive hole in DNS and people fixed it, but Dan is one of the first people to say it is only a temporary fix and we need to move to something more secure fast. Wrights law is in play. Nothing gets fixed until there is an exploit available in a tool like Metasploit.
Larry and John Strand
Originally discussed during episode 240
John Strand will be teaching Hacker Techniques and Incident Response June 25th-30th in Denver Colorado. This time he will do his best to not get kicked out of the hotel….