That's the message in this Google blogpost about the TURKTRUST incident, which says:
Late on December 24, Chrome detected and blocked an unauthorized digital certificate for the "*.google.com" domainWhat that implies is that Chrome acts as 100 million sensors on the Internet looking for *.google.com MitM attacks. If you are a government wanting to spy on your citizens, as soon as you insert a fraudulent signing certificate into your BlueCoat monitor, one of your citizens using Google Chrome is going to notify the mother ship.
This is a good thing. Microsoft (with IE) and Firefox should get into the act. They should likewise monitor other likely monitoring targets, like Facebook and Twitter. If the major browsers triggered whenever the certificate for the major websites changed, this would severely restrict the ability of governments to monitor their citizens.
It appears that Firefox, Microsoft, and Chrome are not completely detrusting TURKTRUST. This is wrong. MitM should be an automatic fail for a CA. Remember that the root of the CA system is not the CAs themselves, but the browser vendors. The browser vendors should have a published list of rules that will get a CA detrusted, and MitM should be one of them.
Hiç yorum yok:
Yorum Gönder