You don’t have to be the fastest antelope

December 29th, 2008

The mozilla.dev.tech.crypto posts after the Comodo incident initially worried me very much. I felt it revealed a systemic weakness in the Web’s PKI system that would compromise the security of Mozilla’s users. I now think it does reveal a systemic weakness, but I don’t think it matters that much, because there are far easier targets. After all, your average phisherman doesn’t even bother with TLS.

We could revoke the Comodo root, or something similar but less drastic. I think such measures would mostly serve to give the appearance that Mozilla is serious about security. Sort of like x-raying shoes at airports. Incidentally, you can board a plane in a middle eastern country, shoes unscanned, and fly to the US.

This sentiment does cut both ways. I don’t see any reason for people to pay five or fifty dollars for certs when they should probably be pay 50 cents.

Posted by rsayre Filed in Uncategorized
3 Comments »

3 Responses to “You don’t have to be the fastest antelope”

  1. Gary Johnson Says:
    December 30th, 2008 at 2:48 pm

    Shutting down an organization that does not perform its duties is not like x-raying shoes at the airport. Its a temporary inconvenience to people who trusted the wrong people. Lets punish the right people, help the afflicted and get over it as quickly as we can.

  2. Rob Sayre’s Mozilla Blog » Blog Archive » More on this week’s SSL news Says:
    December 31st, 2008 at 12:13 pm

    [...] More from the antelope department: [...]

  3. Grey Hodge Says:
    December 31st, 2008 at 12:59 pm

    Gary: It’s nothing but security theatre because it doesn’t make anyone safer. SSL as security is a joke beyond the fact it encrypts the traffic, and weakly.