Earlier today: <a href="https://news.ycombinator.com/item?id=33810755" rel="nofollow">https://news.ycombinator.com/item?id=33810755</a> (40 comments at the moment)
The thread is hilarious.<p>The accused being passive agressive to essentially the judges is mind boggling.<p>I also like how the TrustCor person in the discussion claims the spyware was by a rogue developer and they can't do anything about that and gets the reply from the initial poster:<p>"This same rogue developer set up a proxy to receive data sent by the SDK and then forward it on somewhere else. This involved compromising one or more machines owned by TrustCor. This compromise went undetected by TrustCor/MsgSafe for 3+ years."<p>This compromise was undetected by the CA for 3+ years. Q.E.D.<p>And from Google [Edit: was Mozilla, thanks] "I tend to agree at this point that discussing the merits of the claims might be superfluous, because the conduct of the CA's representative is a more urgent issue [...]"
Seems reasonable to me. Although it's not ideal to distrust without a "smoking gun", it is (as pointed out) inadmissible for any ties to exist between a CA and a malware company.<p>Seeing how a closer look by Mozilla, Google and Apple into publicly available data quickly turned up more points of suspicion, I wonder how much scrutiny is put into CAs in general, and whether it's enough. Mozilla currently lists 148 trusted certificates [0] (soon to be 145, with TrustCor's departure).<p>[0] <a href="https://ccadb-public.secure.force.com/mozilla/CACertificatesInFirefoxReport" rel="nofollow">https://ccadb-public.secure.force.com/mozilla/CACertificates...</a>
Certificates are broken anyhow, we might as well do away with them all together. How am I ever able to research, verify and in the end trust all the hundreds of certificate providers out there? Answer: I don't, nobody does, and that's why it will never work. What's wrong with SSH's encryption, btw? Can't we put that in a browser?