Friday, November 11, 2022

An Untrustworthy TLS Certificate in Browsers

Cory Doctorow (via Bruce Schneier):

Yesterday, the Washington Post’s Joseph Menn published an in-depth investigation into Trustcor, a certificate authority that is trusted by default by Safari, Chrome and Firefox:

Menn’s report is alarming. Working from reports from University of Calgary privacy researcher Joel Reardon and UC Berkeley security researcher Serge Egelman, Menn presented a laundry list of profoundly disturbing problems with Trustcor[…]


Today, learning that the CA-vetting process I’d blithely assumed was careful and sober-sided is so slapdash that a company without a working phone or a valid physical address could be trusted by billions of browsers, I feel like I did when I decided not to fill my opioid prescription.

1 Comment RSS · Twitter

I do hope nobody here is at all surprised by this.

DNSSEC+DANE support in applications (including web browsers) now, please. Enough pussy-footing and general intransigence, especially silly political objections.

Leave a Comment