

SSL Certificate for mozilla.com issued without validation - cperciva
http://www.sslshopper.com/article-ssl-certificate-for-mozilla.com-issued-without-validation.html

======
cperciva
HTTPS is more secure than HTTP... but when it's possible to get bogus SSL
certificates like this, it's apparently not very much more secure.

~~~
ars
Not exactly.

HTTPS does two things:

1: verifies who the other party is and prevents MITM attacks.

2: encrypts the connection and prevents snooping

#2 still works fine, and for many people it's the only thing they care about
since MITM attacks are quite rare, and if you typed the domain name yourself
you don't need the verification either.

~~~
brl
You can't securely exchange keys to do #2 without having #1.

Not sure why you think active attacks are more rare than any other attack
against TLS/SSL sessions. Any time you are in a position to perform a passive
attack (snooping) you could also perform an active attack (MITM). The only
difference is which point-and-click attack tool you download.

~~~
ars
Not true - otherwise self signed certificates would be pointless. #1 and #2
are independent.

And you can snoop WiFi, but you can't do MITM. (Not easily anyway, you'd need
a radio jammer and other gear.)

~~~
brl
Of course I can perform a MITM attack on a wireless network. You might try
thinking about the communication layers above PHY. Almost any of them will do.

------
nailer
Agreed the certificate provider mentioned is a fraud, but so is Veritas, who
issued a certificate identifying some random person as microsoft.com a few
years ago.

Governments need to regulate, and audit, certificate providers, and
financially punish them for failing audits.

------
brl
Now that Firefox has explicit support for key continuity management, I think
I'll just dump my root CA store and go with that. Global PKI is just not such
a great idea.

------
redorb
godaddy made me use a number generated from the server (rsa), but guess that
doesn't mean I own the domain just the server

------
sabat
Go Daddy has been doing this for years. They don't care about the
authentication portion of SSL -- just the encryption part.

