Perhaps I should have been more explicit about the reason for my question.<div><br></div><div>It is alleged that somebody is interfering with traffic to Facebook. The suggested countermeasure is to insist upon an SSL connection from the outset - not to trust the standard HTTP page.</div>
<div><br></div><div>If those same attackers can persuade <i>any </i>of the CAs trusted by the browser to issue a duplicate Facebook certificate then they can interfere with SSL connections as well. Most browsers will not display any warning message in such circumstances.</div>
<div><br></div><div>You can reduce (but not eliminate) this risk by paring down the list of trusted CAs.</div><div><br></div><div>Now consider which SSL sites you visit. Perhaps your e-mail service or your bank. Are you happy that <i>all</i> of the CAs trusted by your browser are permitted to sign certificates purporting to represent your e-mail service or bank?</div>
<div><br></div><div> Mark</div><div><br><br><div class="gmail_quote">On 26 January 2011 11:26, Brian Morrison <span dir="ltr"><<a href="mailto:bdm@fenrir.org.uk">bdm@fenrir.org.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="im">On Wed, 26 Jan 2011 09:18:11 +0000<br>
Mark Lomas <<a href="mailto:ukcrypto@absent-minded.com">ukcrypto@absent-minded.com</a>> wrote:<br>
<br>
> May I conduct an informal survey? Who on this mailing list has not<br>
> removed any of the CA certificates that were pre-installed by whoever<br>
> supplied your browser?<br>
<br>
</div>Not me. All I have done is add the CACert root certificate so that<br>
some of my own certificates work.<br>
<br>
Having said that, I don't ignore any error or warning messages, and I<br>
do quite often check certificate fingerprints. In a widely rolled-out<br>
deployment of SSL the security you gain is there to raise the bar to<br>
compromise, not to eliminate it.<br>
<br>
--<br>
<font color="#888888"><br>
Brian Morrison<br>
<br>
</font></blockquote></div><br></div>