remove StartSSL from the browser's trust store
Wed, 23 Apr 2014 12:03:06 +0200 last edited: Wed, 23 Apr 2014 12:03:37 +0200
#^What the Heartbleed bug revealed to me | gollo's blog
Indeed, but do not all CA pay for it?
Very interesting statistics from ISC about CRL activity after #heartbleed.
#^SSL CRL Activity - Internet Security | SANS ISC
The most interesting number I think is from CAcert.org, especially the total size. Interesting would be a number of total active certificates per CA, too.
But this all is a bit ridiculous. There are thousand of compromised certificates out there, that get not revoked and even if they get revoked there is no working solution to check against revoked certificates. Downloading CRLs does not scale. OCSP is too unreliable so that there is a soft fail fallback and silenty accepts everything. Some browsers even don't use OCSP at all.
Today, I made a really negative experience with the StartSSL certificate authority. This is the first time that this has happened to me. The problem is that it affects StartSSL’s reputation because it reveals that they value money much higher than security. Security however should be a CA’s primary concern. So, what happened? It all started whe...
Indeed, but do not all CA pay for it?
Ah, and of course the rumors that StartSSL is part of Mozilla's products solely because they paid for it sound much more reasonable to me than a week ago.
Very interesting statistics from ISC about CRL activity after #heartbleed.
#^SSL CRL Activity - Internet Security | SANS ISC
Certificate Revocation Lists ("CRLs") are used to track revoked certificates. Your browser will download these lists to verify if a certificate presented by a web site has been revoked. The graph above shows how many certificates were revoked each day by the different CRLs we are tracking.
The most interesting number I think is from CAcert.org, especially the total size. Interesting would be a number of total active certificates per CA, too.
But this all is a bit ridiculous. There are thousand of compromised certificates out there, that get not revoked and even if they get revoked there is no working solution to check against revoked certificates. Downloading CRLs does not scale. OCSP is too unreliable so that there is a soft fail fallback and silenty accepts everything. Some browsers even don't use OCSP at all.
ssl-crawler
Wed, 16 Apr 2014 15:30:28 +0200
#^http://ssl-crawler.net.t-labs.tu-berlin.de/
#Heartbleed
Current news: 2014-04-09: Are you probing my network for OpenSSL exploits? No!
We are currently working on a survey on the OpenSSL CVE-2014-0160 bug. This means that you will receive malicious looking traffic from this machine. This traffic is, however, of academic nature to assess the extend of the bug from a Internet security perspective. We do not retrieve private data from any of your system and do not intend to exploit your system.
#Heartbleed
Tue, 15 Apr 2014 17:42:24 +0200 last edited: Tue, 15 Apr 2014 17:42:25 +0200
This website is tracked using the Piwik analytics tool. If you do not want that your visits are logged this way you can set a cookie to prevent Piwik from tracking further visits of the site (opt-out).