(www.markround.com)

170 points todsacerdoti | 1 comments | 10 Dec 25 07:06 UTC | HN request time: 0s | source

Show context

account42 ◴[10 Dec 25 09:06 UTC] No.46215635[source]▶

> Consider this - what is the likelihood of every certificate authority on the Internet having their private keys compromised simultaneously? I’d wager that’s almost at the whatever is the statistics equivalent of the Planck length level of probability.

It doesn't matter if every certificate authority is compromised or just one. One is all that is needed to sign certificates for all websites.

replies(2): >>46215668 #>>46216034 #

mark_round ◴[10 Dec 25 09:12 UTC] No.46215668[source]▶

>>46215635 #

Author here, hi! Was just venting last night, but that's a very good point, I'll update it later with your correction :)

replies(1): >>46215764 #

acer4666 ◴[10 Dec 25 09:26 UTC] No.46215764[source]▶

>>46215668 #

You should make it about CT logs. I believe you need to compromise at least three of them.

replies(2): >>46216043 #>>46216386 #

tialaramex ◴[10 Dec 25 10:09 UTC] No.46216043[source]▶

>>46215764 #

The whole point of the logs is that they're tamper-evident. If you think the certificate you've seen wasn't logged you can show proof. If you think the logs tell you something different from everybody else you can prove that too.

It is striking that we don't see that. We reliably see people saying "obviously" the Mossad or the NSA are snooping but they haven't shown any evidence that there's tampering

replies(2): >>46217128 #>>46217299 #

1. rnhmjoj ◴[10 Dec 25 12:51 UTC] No.46217128[source]▶

>>46216043 #

> It is striking that we don't see that

It probably just means they are asking the providers to hand over the data, no need to perform active attacks.

↑

Stop Breaking TLS