firefox and bad ssl certificates

Zak B. Elep zakame at ubuntu.com
Wed May 14 04:51:19 BST 2008


On Wed, May 14, 2008 at 11:40 AM, Mackenzie Morgan <macoafi at gmail.com> wrote:
> On Tue, 2008-05-13 at 16:24 -0400, Phillip Susi wrote:
>> No, they won't, and shouldn't.  Why pay some idiot corporation an
>> extortion fee just because they bribed the browser manufacturers to
>> include their certs by default?  There is NO added security to having a
>> paid for cert.  See the several incidents where bank web sites have been
>> spoofed on a slightly misspelled version of the domain name and issued a
>> "valid" cert from a CA "proving" they are the bank you thought you were
>> visiting.
>
> http://cacert.org, which has its certs included in Ubuntu by default, is
> free.

Be advised however to use the new OpenSSL[0] to generate your CSR and
private key pair, in light of DSA-1571[1].

[0] http://packages.ubuntu.com/openssl
[1] http://www.ubuntu.com/usn/usn-612-1

It may also be worth considering putting off submitting CSRs to CAs
(CACert included) until those CAs can confirm that they are not (or no
longer) affected by the issue.

Cheers,

Zakame


-- 
Zak B. Elep || http://zakame.spunge.org
zakame at ubuntu.com || zakame at spunge.org || zakame at morphlabs.com
1486 7957 454D E529 E4F1 F75E 5787 B1FD FA53 851D



More information about the Ubuntu-devel-discuss mailing list