An Untrustworthy TLS Certificate in Browsers
Cory Doctorow (via Bruce Schneier):
Yesterday, the Washington Post’s Joseph Menn published an in-depth investigation into Trustcor, a certificate authority that is trusted by default by Safari, Chrome and Firefox:
Menn’s report is alarming. Working from reports from University of Calgary privacy researcher Joel Reardon and UC Berkeley security researcher Serge Egelman, Menn presented a laundry list of profoundly disturbing problems with Trustcor[…]
[…]
Today, learning that the CA-vetting process I’d blithely assumed was careful and sober-sided is so slapdash that a company without a working phone or a valid physical address could be trusted by billions of browsers, I feel like I did when I decided not to fill my opioid prescription.
I do hope nobody here is at all surprised by this.
DNSSEC+DANE support in applications (including web browsers) now, please. Enough pussy-footing and general intransigence, especially silly political objections.