Hacker News new | past | comments | ask | show | jobs | submit login

This is what I was thinking.

This sounds more like certificates are broken than public key crypto.

Yes they can come to me for my private key, but that's a different issue, then at least they're coming to me and not going to some intermediary "trusted party".

If certificates are broken then public key crypto is broken, because a trusted third-party certificate is necessary to prevent man-in-the-middle attacks, no?

No. The trust model of HTTPS was always broken from the start. This whole story "only" reinforces the point that key distribution and management is hard, and a central list of certificate authorities is not a good solution.

This story has exactly zero effects if you use some public-key system with different key management.

On the negative side, good systems don't really exist. On the plus side, this story might help push the development of good systems.

Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact