?

Log in

No account? Create an account

Previous Entry | Next Entry

So, apparently, the SSL cert theft was performed by a student hacker with the requisite pathological grandiosity:

http://pastebin.com/74KXCaEZ

The language and political logic rings true, but it hardly matters. Even if it was actually a government agency performing the hack, a statement of this kind could only serve to deflect attention from those entities who can make use of it, which is to say, a sovereign government with control over the PTT and the ability to redirect root-server DNS lookups.

But the more important issue is that it was possible at all. The fact that the CA key was stored on a publicly accessible machine running Windoze tells reams about just how "secure" SSL security is. I don't mind admitting that was a real shocker to me.

So I've got to ask why we're keeping this antiquated security infrastructure? Surely, the encryption itself is the only important part. Thawte, Commodo, et al. provide no more security and are prohibitively expensive for the paltry services they provide.

I've got a big soup of ideas sloshing around in my head about networks of trust and mass-key-sigining as a means to overcome the weakest point to social networking, to wit, the centralization of the key server component. It's not as if the technology is there: Freenet, Bitcoin, Zfone, etc. all make use of decentralized security models. A CA network and chain-of-trust VPN network is such a simple idea. But I suppose we need to have our Facebook, Youtube, LinkedIN accounts first before we can get comfortable with untying the model from the central authority.

So, for now, only pederasts and illegal drug dealers are using them. All green things grow out of the muck, I suppose.