|
|
|
|
|
|
by QuicksilverJohn
2473 days ago
|
|
|
It's actually pretty difficult to enumerate all trusted CAs (or even just what organizations are running CAs). Certificate Transparency certainly helps there, but it's not fully required, and doesn't solve all problems. The DigiNotar attack (from 2011) was mainly chosen because it's well known and easy to convey. It wasn't even that technically effectively because Chrome had Google's keys pinned, so it was immediately blocked and reported (like you would get with CT today). But, only in Chrome. More recent examples of mississuance, like tricking Comodo's OCR-based validation [0] or spoofing DNS to hijack Let's Encrypt issuance [1]. CA's are always going to be vulnerable to these sorts of attacks, and they have such a broad attack surface and so much systemic trust (i.e power) that can cause unbounded damages with any error. [0] https://bugzilla.mozilla.org/show_bug.cgi?id=1311713
[1] https://www.wired.com/2017/04/hackers-hijacked-banks-entire-... |
|
|
Sure, but somebody else already did that so you can just rely on their work.
https://wiki.mozilla.org/CA/Intermediate_Certificates