Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I think we are talking on different lines of thought. I am not concerned with certificate transparency... as the article you point out says it can take a long time [years] before it is found to be compromised. the fact of the matter is, if ssl decryption is possible on the fly, we need a different solution for encryption, this include the use of credit card chip.

an encryption scheme cannot be designed to be broken and expect everything to be 'secure'

EDIT: I am not being allowed to reply.

excuse me, I think you need to read what I wrote more carefully. I do not care about certificate transparency. I must not be communicating clearly I will try again..

I am not referring to the ability to issue a new certificate.

I'm talking about the ability to perform SSL decryption without the end user knowing. you do not need to issue a new certificate to do this, you just need the end user to have trusted a new root CA... which brings us to this article where another company is issuing a root CA. do you trust everyone in your 'trusted root ca's on your computer?

Here are some ways to untrust certs [0][1]and another conversation on this [2]

[0]http://unix.stackexchange.com/questions/285784/untrusting-an...

[1] https://blog.filippo.io/untrusting-an-intermediate-ca-on-os-...

[2] https://news.ycombinator.com/item?id=11781915



Please read it more carefuly:

"One of the problems with digital certificate management is that fraudulent certificates take a long time to be spotted, reported and revoked by the browser vendors. Certificate Transparency would help by making it impossible for a certificate to be issued for a domain without the domain owner knowing."


You can pretty much trust all the root CAs that provide Certificate Transparency. If such a CA went evil such an event would be detected.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: