Could this be anything like the DigiNotar hack?[0]<p>If it came out that Symantec's certificate authority was used to issue fraudulent certificates, the damage to their business could be in the hundreds of millions. What if the silence is because Symantec is trying to figure out the best way to break the news to us?<p>Edit: After a bit more reading, Symantec has some history of monitoring .pw for malware and spam.[1][2][3] Perhaps someone just decided they wanted nothing more to do with PW issuer Directi, which apparently has a poor reputation.[4]<p>[0]<a href="https://en.wikipedia.org/wiki/DigiNotar" rel="nofollow">https://en.wikipedia.org/wiki/DigiNotar</a><p>[1]<a href="http://www.symantec.com/connect/blogs/rise-pw-urls-spam-messages" rel="nofollow">http://www.symantec.com/connect/blogs/rise-pw-urls-spam-mess...</a><p>[2]<a href="http://www.symantec.com/connect/blogs/pw-hit-and-run-spam-royal-baby-trend" rel="nofollow">http://www.symantec.com/connect/blogs/pw-hit-and-run-spam-ro...</a><p>[3]<a href="http://www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise" rel="nofollow">http://www.symantec.com/connect/blogs/rig-exploit-kit-used-r...</a><p>[4]<a href="http://www.jl.ly/Email/palau.html" rel="nofollow">http://www.jl.ly/Email/palau.html</a>
This is strange. An entire TLD? Symantec hasn't issued an announcement. There's nothing on the CA/Browser Forum mailing list. Nothing on the Symantec Security Response Blog. Nothing on Symantec's Twitter feeds.<p>Symantec stopped issuing certs in .PW six days ago, according to a blog post.[1] But there appears to have been no public announcement. Even if there was a major security breach justifying this, Symantec has botched the revocation and has lost much trust.<p>[1] <a href="https://www.reddit.com/r/sysadmin/comments/3j9iyk/just_a_heads_up_symantec_is_cancelling_ssl/" rel="nofollow">https://www.reddit.com/r/sysadmin/comments/3j9iyk/just_a_hea...</a>
For everybody else who was wondering, .pw is Palau, a tiny island nation (pop. 17k) in Micronesia:<p><a href="https://en.wikipedia.org/wiki/.pw" rel="nofollow">https://en.wikipedia.org/wiki/.pw</a><p>And apparently its sole decent hotel is smart enough to use a .com instead:<p><a href="http://www.palauppr.com/default-en.html" rel="nofollow">http://www.palauppr.com/default-en.html</a>
The current CA PKI system is pure madness. Everyone in the CA club can issue certificates for anything - and you are at their mercy for not revoking. And what's worse, even if you pick a decent vendor, you can't prevent shadier outfits from also issuing parallel certs. :(
"But here's the thing: why did Geotrust just go ahead and revoke the certificates for all .PW domains without any warning?"<p>Why indeed? My first notice of this was a client unable to use the app even though the cert was issued less than 6 months ago and was a 2 year cert. Like the author I also initially thought client configuration issue until I tried.<p>I contacted the reseller who didn't have an answer right off the bat but had to contact Geotrust. After 15 minutes of fooling around I got an answer and a refund. So yes, they issued me a refund. Great. My clients had downtime. I had to drop what I was doing "right then" and install new certs. Finally I had to walk clients through clearing old certs from their browser as they were getting the scary "Untrusted!" popup. Fortunately this is a private app for a specific client so there weren't a bunch of calls.<p>Geotrust's handling of this was ridiculous. No email, no notification... I'll certainly never get a cert from then again over this incident.
Let's encrypt it's starting to issue the first certificates[1].<p>Hopefully dealing with bad CAs will be a thing of the past.<p>[1] <a href="https://letsencrypt.org/2015/08/07/updated-lets-encrypt-launch-schedule.html" rel="nofollow">https://letsencrypt.org/2015/08/07/updated-lets-encrypt-laun...</a>
I've had issues with other registrars revoking certificates for questionable reasons (i.e., any reason other than obvious loss of control of the private key).<p>Is there a "bulletproof" registrar that doesn't revoke? If my client loses thousands of dollars per day of downtime I'm sure they'd be willing to pay through the nose for it.<p>I understand the reasons for having a revocation system but it's often not a benefit to me on balance-of-risks basis.
Is this for real? All we have is one unknown blogger, Colin Keigher, picked up by other sources. It's Tuesday afternoon, so everyone is back at work. A takedown of an entire TLD should have hit news sources and major security blogs by now. I'm not seeing anything other than echos of the original blog post. It hasn't even come up on the CA/Browser forum mailing list or security blogs.
I just developed a browser to server based crytpo channel meant to replace the SLL certificate mess on a side project I'm working on. I know that there's a bad rap for browser based crytpo and rolling your own but I've got some knowledge and thought I would give it a shot.<p>The code is not public (yet) but uses DH key exchange (using the JS BigInt library) to exchange a 2048 bit token key and then uses sjcl to perform encryption on each packet/request using the resulting key.<p>It's lacking host validation (am I talking to the correct server?), but I'm still working getting that piece together.
I don't know who thought that having the possibility of revoking certificates was a good idea, especially when that possibility is controlled by CAs