On Thu, Aug 1, 2013 at 12:52 AM, Jeremy Baron <jeremy(a)tuxmachine.com> wrote:
On Thu, Aug 1, 2013 at 4:28 AM, Anthony
<wikimail(a)inbox.org> wrote:
Does rapid key rotation in any way make a MITM
attack less detectable?
Presumably the NSA would have no problem getting a fraudulent certificate
signed by DigiCert.
I'm not seeing the relevance. And we have the SSL observatory (EFF) fwiw.
I fully admit that I don't understand exactly how SSL observatory works. I
thought it detected when the key changes, so I was wondering whether
rapidly rotating keys might thwart that. But again, I don't really
understand how it works. So it wasn't a rhetorical question.
We (society, standards making bodies, etc.) need to do more to reform
the current SSL mafia system. (i.e. it should be
easier for a vendor
to remove a CA from a root store and we shouldn't have a situation
where many dozens of orgs all have the ability to sign certs valid for
any domain.)
In order to not be easily detected, the cert used by the MITM would need to
be from the same CA as the usual one (DigiCert?). Or at least from someone
who had obtained DigiCert's key. Or is my cluelessness about how SSL
observatory works showing once again?