"The industry-accepted standard for confirming someone is who they say they are and that they control a domain is that 'the CA takes reasonable measures to verify,' which is very ambiguous at best and meaningless at worst," wrote world-renowned security expert Kurt Seifried in an article on SSL security keys published in the May 2010 issue of Linux Magazine.
Two university researchers discovered at a recent security conference that security companies often deal with governments that can compel certificate authorities to produce SSL security keys for them, which Betanews reported last week. Those keys can then be used to sign certificates as any other Web site, enabling a law enforcement authority -- hypothetically speaking, of course -- to spoof virtually any other site.
http://www.technewsworld.com/story/Fraudsters-Can-Easily-Buy-SSL-Certificates-Researcher-Finds-69686.html?wlc=1270451367
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment