Remix clone Hacker News

Stealing a private key or getting a CA to misissue a certificate is hard. Then actually making use of this in a MITM attack is also difficult.

Still, oppressive states or hacked ISPs can perform these attacks on small scales (e.g. individual orgs/households) and go undetected.

For a technology the whole world depends on for secure communication, we shouldn't wait until we detect instances of this happening. Taking action to make these attacks harder, more expensive, and shorter lasting is being forward thinking.

Certificate transparency and Multi-Perspective Issuance Corroboration are examples of innovations without bothering people.

Problem is, the benefits of these improvements are limited if attackers can keep using the stolen keys or misissued certificates for 5 years (plus potentially whatever the DCV reuse limit is).

Next time a DigiNotar, Debian weak keys, or heartbleed -like event happens, we'll be glad that these certs exit the ecosystem sooner rather than later.

▲

ocdtrekkie 4 days ago | parent [-]

[flagged]

	▲	dang 3 days ago \| parent [-]
		Can you please follow the site guidelines when posting to HN, regardless of how wrong anyone else is or you feel they are? You broke them more than once in this thread (e.g. in this comment, in https://news.ycombinator.com/item?id=43698063, and arguably in your root post to the thread too - https://news.ycombinator.com/item?id=43687459). I'm sure you have legit reasons to feel strongly about the topic and also that you have substantive points to make, but if you want to make them on HN, please make them thoughtfully. Your argument will be more convincing then, too, so it's in your interests to do so.