How to protect yourself from the fraudulent * certificate before your Firefox browser is updated. Relatively simple instructions…

Deleting the DigiNotar CA certificate | Troubleshooting | Firefox Help

Michael K Johnson September 03, 2011 13:13

It’s not entirely clear to me that we’ll ever know the whole story, and I figure that if Iran (as we presume) got a wildcard EV cert from them, there’s no reason to trust any of their other certs either. It’s not what we know; it’s that we now have reason to doubt, and that’s good enough reason to distrust a root, especially an EV root.

The biggest problem is not a hack at a single CA. The real problem is in design that allows a single hack to destroy trust; that a single root provides sufficient “trust”. Instead, we should require (say) three trusted root signatures (possibly more signatures for EV than for other certs, possibly more for wildcards than for non-wildcards) before trusting a cert. My 2 ¢

Michael K Johnson September 05, 2011 13:19

Michael K Johnson September 06, 2011 15:16

Imported from Google+ — content and formatting may not be reliable