Comment by 0xbadcafebee

3 years ago

It's really not that bold. Ask anyone who works for a CA, or an ISP, or a registrar, or a mail hoster, or a browser manufacturer, or DNS provider... If you just read up on how PKI works, on how certificates get issued, how the network protocols work, etc, it's all just right there. The holes are very well known and understood and not fixed because they're in the design. Every so often somebody comes up with another mitigation, which of course you have to opt into, and still doesn't solve all the holes.

It's like SS7, or SWIFT. It's not bold to claim that all public phone networks and bank transfers are insecure, it's just a fact. People who know what they are know they're vulnerable.

As an aside to the design issues, social engineering any of the thousands of organizations involved with issuing certs (not just CAs) is trivial. A bored teenager could get certs issued for most domains by using nothing more than a telephone or e-mail. But that's cheating, so I don't count it.