On Wed, 31 Dec 2008 12:57:52 EST, Elazar Broad said: > That's true, keeping up with security is not cheap nor easy. Meanwhile, doing nothing is *always* cheap and easy, especially when it's very unlikely that *you* will end up paying the price... > Tradeoff's are tradeoff's, the question is, when it comes down to > the $$$, is more cost effective to be proactive vs reactive in this > case. Time will tell... The important point here is that the cost of the vulnerability is what economists call an externality - the CA who issued the cert that got abused isn't the one who ends up with the headache. If Certs-R-Us gives BadGuy Inc a jiggered cert, and BadGuy Inc uses that to make a fake Widgets-Today.com site and Joe Sixpack gets suckered, then Joe Sixpack has a problem, Widgest-Today may have a problem - and neither victim is very likely to blame Certs-R-Us - after all, Widgets-Today got *their* cert from somebody else. Certs-R-Us doesn't have a problem unless they end up on CNN - otherwise *their* potential customers won't know there's an issue. On the other hand, if Microsoft and Mozilla issue updates that make their browsers reject out-of-hand any cert with an MD5, *that* will make Certs-R-Us sit up and pay attention *immediately*, because "I bought a cert from you and the frikking thing doesn't work" *does* impact their bottom line. I predict that if Microsoft and Mozilla do this, there will be a lot of ambulance-chasing, as opportunists spider the web looking for OpenSSL connections that present a cert with MD5, and spam the site with "We have sooper-cheap non-MD5 certs!" ads...
Attachment:
pgpQSHKqKDfHx.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/