| ▲ | throwaway2037 3 days ago | |||||||||||||||||||||||||
This is a great point. For all of the "technically correct" arguments going on here, this one is the most practical counterpoint. Yes, in theory, Verisign (now Symantec) could issue some insane wildcard Google.com cert and send the public-private key pair to you personally. In practice, this would never happen, because it is a corporation with rules and security policies that forbid it. Thinking deeper about it: Verisign (now Symantec) must have some insanely good security, because every black hat nation state actor would love to break into on their cert issuance servers and export a bunch of legit signed certs to run man-in-the-middle attacks against major email providers. (I'm pretty sure this already happened in Netherlands.) | ||||||||||||||||||||||||||
| ▲ | codethief 3 days ago | parent | next [-] | |||||||||||||||||||||||||
> every black hat nation state actor would love to break into on their cert issuance servers and export a bunch of legit signed certs to run man-in-the-middle attacks I might be misremembering but I thought one insight from the Snowden documents was that a certain three-letter agency had already accomplished that? | ||||||||||||||||||||||||||
| ||||||||||||||||||||||||||
| ▲ | Ajedi32 2 days ago | parent | prev | next [-] | |||||||||||||||||||||||||
This isn't about the cert issuance servers, but DNS servers. If you compromise DNS then just about any CA in the world will happily issue you a cert for the compromised domain, and nobody would even be able to blame them for that because they'd just be following the DNS validation process prescribed in the BRs. | ||||||||||||||||||||||||||
| ▲ | tptacek 2 days ago | parent | prev [-] | |||||||||||||||||||||||||
Verisign (Symantec) can't do anything, because the browsers distrusted them. | ||||||||||||||||||||||||||