[tor-talk] Dutch CA actually issued a lot more than *.torproject.org

Jacob Appelbaum jacob at appelbaum.net
Sun Sep 4 17:41:21 UTC 2011


I've added a second blog post that I believe will be of interest to Tor

This is the list of CA roots that should probably never be trusted again:

DigiNotar Cyber CA
DigiNotar Extended Validation CA
DigiNotar Public CA 2025
DigiNotar Public CA - G2
Koninklijke Notariele Beroepsorganisatie CA
Stichting TTP Infos CA

The most egregious certs issued were for *.*.com and *.*.org while
certificates for Windows Update and certificates for other hosts are of
limited harm by comparison. The attackers also issued certificates in
the names of other certificate authorities such as "VeriSign Root CA"
and "Thawte Root CA" as we witnessed with ComodoGate, although we cannot
determine whether they succeeded in creating any intermediate CA certs.
That's really saying something about the amount of damage a single
compromised CA might inflict with poor security practices and regular
internet luck.

Additionally, I've uploaded the files that include as much information
as is currently know:

All the best,

More information about the tor-talk mailing list