I manually removed trust of China Internet Network Information Center intermediate and root CNNIC certificates on my phone, browsers and email client.
http://ift.tt/1FfICOv
Google and Microsoft removed "trust" of certificates signed by this certificate authority (CA).
I quoted the word trust since the whole CA situation has become a problem. My phone has 132 CA certificates installed in it. There are thousands of CAs out there. Some are in China, Russia, Turkey, India; the same countries in a cyber war with the U.S.
Root certificate authorities are supposed to be the final word that the site you connected to via SSL is the legitimate site. A rogue CA can cause serious problems.
BTW, there's a way to mitigate this a bit. But, it requires steps not all website owners can take. DNS-Based Authentication of Named Entities (DANE) supports a site having the hashes of valid CA signing certificates to its DNS record. A browser could compare hashes and deny connections if they don't match. You can imagine how many site administrators have set that up. Plus, some domain registry companies don't support it.
http://ift.tt/1FfICOv
Google and Microsoft removed "trust" of certificates signed by this certificate authority (CA).
I quoted the word trust since the whole CA situation has become a problem. My phone has 132 CA certificates installed in it. There are thousands of CAs out there. Some are in China, Russia, Turkey, India; the same countries in a cyber war with the U.S.
Root certificate authorities are supposed to be the final word that the site you connected to via SSL is the legitimate site. A rogue CA can cause serious problems.
BTW, there's a way to mitigate this a bit. But, it requires steps not all website owners can take. DNS-Based Authentication of Named Entities (DANE) supports a site having the hashes of valid CA signing certificates to its DNS record. A browser could compare hashes and deny connections if they don't match. You can imagine how many site administrators have set that up. Plus, some domain registry companies don't support it.
Too many certificate authorities to trust
0 commentaires:
Enregistrer un commentaire