728x90
initially i filled a bugreport [1] about the consequences of
CVE-2014-0160 but this seems to be a better place for a discussion.
There were still a discussion about the problem which may be interesing.
To give a short introduction: StartCom is offering free Class 1
certificates under the label StartSSL. The certification is completly
free of charge but the revocation costs 25 USD.
The Problem: I don't think that this is much money but I think this will
prevent many people from renewing their keys which should be considered
as compromised.
They are, maybe not intentionally, throwing people in the pool but they
don't check if they can swim. Customers of other companies were faced to
the decision if they would like and can spend money for TLS. But due to
the free certification, people tend to create dedicated keys for every
service. That is good for the encryption side but bad if these people
know have to pay ~10 * 25 USD.
As a result of that, the most people just will not change their keys.
That makes me question if a certificate signed by StartCom can be
considered as trustworthy.
I confrontated StartCom with my doubs and pleased them to find a way to
solve this hurdle. They wrote me: "This will not happen without changing
the entire business model".
In germany, this _could_ be considered as fraud but they don't comply to
european law anyway.
The Consequence: I would like to start a discussion about that and the
reactions. My Idea is that there should be a general policy that says
that a revocation can't cost more that the creation or something like that.
If someone pays 100 USD for certification, he consideres to pay 100 USD
for revocation. If someone doesn't pay for certification, he will
hesitate to pay even 1 USD for revocation.
Yours sincerely,
Kaspar Janßen
> [1] https://bugzilla.mozilla.org/show_bug.cgi?id=994033
CVE-2014-0160 but this seems to be a better place for a discussion.
There were still a discussion about the problem which may be interesing.
To give a short introduction: StartCom is offering free Class 1
certificates under the label StartSSL. The certification is completly
free of charge but the revocation costs 25 USD.
The Problem: I don't think that this is much money but I think this will
prevent many people from renewing their keys which should be considered
as compromised.
They are, maybe not intentionally, throwing people in the pool but they
don't check if they can swim. Customers of other companies were faced to
the decision if they would like and can spend money for TLS. But due to
the free certification, people tend to create dedicated keys for every
service. That is good for the encryption side but bad if these people
know have to pay ~10 * 25 USD.
As a result of that, the most people just will not change their keys.
That makes me question if a certificate signed by StartCom can be
considered as trustworthy.
I confrontated StartCom with my doubs and pleased them to find a way to
solve this hurdle. They wrote me: "This will not happen without changing
the entire business model".
In germany, this _could_ be considered as fraud but they don't comply to
european law anyway.
The Consequence: I would like to start a discussion about that and the
reactions. My Idea is that there should be a general policy that says
that a revocation can't cost more that the creation or something like that.
If someone pays 100 USD for certification, he consideres to pay 100 USD
for revocation. If someone doesn't pay for certification, he will
hesitate to pay even 1 USD for revocation.
Yours sincerely,
Kaspar Janßen
> [1] https://bugzilla.mozilla.org/
728x90
'취약점 정보1' 카테고리의 다른 글
| VMware Workstation / Player Invalid Pointer Dereference (0) | 2014.04.14 |
|---|---|
| GCC 4.9 릴리즈 (0) | 2014.04.13 |
| 2014-04-13 취약점 정리 (0) | 2014.04.13 |
| PivotX 2.3.8 contains multiple vulnerabilities (0) | 2014.04.13 |
| Amtelco miSecureMessages app lacks authentication (0) | 2014.04.13 |