AnsweredAssumed Answered

Another SSL/TLS fraudulent certificates issed by CA in the name of Google

Question asked by j-mailor on Mar 25, 2015
Latest reply on Apr 4, 2015 by Reginald Dwyer

Interesting reading: Google Hit Again by Unauthorized SSL/TLS Certificates - eSecurity Planet


It looks like CA model in SSL/TLS is really broken. CA should be someone we should trust, but it looks like we can't. HTTP public key pinning is getting more and more importance. In my humble opinion such CA's should be automatically blocked for ever like DigiNotar in the past. You know the logic, if you brake the trust you are out of business. And additional: all the costs customers have regarding this certification revocation (like costs for new certificates at new CA) should be immediatelly be costs of CA braking the trust. Your opinion?


In my humble opinion we should start thinking that web sites not using HTTP public key pinning should not get an A grade in test. Your opinion?