|
|
|
|
|
|
by JoachimSchipper
5490 days ago
|
|
|
Of course, "just revoke" doesn't actually work: serving a outdated certificate revocation list, or preventing a connection to the OCSP ("is this cert revoked?") server causes browsers to trust "revoked" certificates. Worse, lots of software doesn't even bother to do this check. This is why the browsers hardcoded a list of compromised certificates last time. This is even worse, though, because a lot of "real" certificates depend on this CA. Also, there are no logs to make a blacklist of "bad" certificates, so you can't just revoke a handful... |
|
|
How many? did you estimate from sequential serial number allocation?
I am surprised (even if it turns out this is "just" an encrypted webserver key) that they aren't using hardware keys: (a) it's their core business (b) they appear competent (CTO posts to technical mailing lists) (c) they have a /29 so aren't just a single IP on an inaccessible low-end VPS.
ssllabs.com gives them a C rating.