Klaus

remove StartSSL from the browser's trust store

 Wed, 23 Apr 2014 12:03:06 +0200 last edited: Wed, 23 Apr 2014 12:03:37 +0200  
#^What the Heartbleed bug revealed to me | gollo's blog

Today, I made a really negative experience with the StartSSL certificate authority. This is the first time that this has happened to me. The problem is that it affects StartSSL’s reputation because it reveals that they value money much higher than security. Security however should be a CA’s primary concern. So, what happened? It all started whe...


Indeed, but do not all CA pay for it?

Ah, and of course the rumors that StartSSL is part of Mozilla's products solely because they paid for it sound much more reasonable to me than a week ago.



Very interesting statistics from ISC about CRL activity after #heartbleed.
#^SSL CRL Activity - Internet Security | SANS ISC

Certificate Revocation Lists ("CRLs") are used to track revoked certificates. Your browser will download these lists to verify if a certificate presented by a web site has been revoked. The graph above shows how many certificates were revoked each day by the different CRLs we are tracking.


The most interesting number I think is from CAcert.org, especially the total size. Interesting would be a number of total active certificates per CA, too.

But this all is a bit ridiculous. There are thousand of compromised certificates out there, that get not revoked and even if they get revoked there is no working solution to check against revoked certificates. Downloading CRLs does not scale. OCSP is too unreliable so that there is a soft fail fallback and silenty accepts everything. Some browsers even don't use OCSP at all.