Wednesday, March 23, 2011

How trustworthy is the CA model

Read:

Recently a hacker with Iranian IP addresses managed to compromise a partner account at Comodo Group's CA and procured eight legitimate SSL cert for the following 6 respectable domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.

Web browser makers frantically tried to update browsers to exclude the bogus certificates and Mozilla managed to plead with a famous security researcher, Jacob Appelbaum to withold information from public before patches are sent out.

How secure is the CA trust model after all ? Considering the use of TOR network instead of centralised CA ?

No comments: