Free Republic
Browse · Search 		General/Chat
Topics · Post Article

To: dayglored

OK, so we now know that hackers have a key that is signed by Verisign. Has that key been revoked? Folks, especially windows folks, are pretty screwed until they can get that revocation out. This is bad for Linux and OSX users as well, because I would imagine that most folks are going to trust that cert, which we now know is in malicious hands.


9 posted on 06/15/2015 9:09:18 PM PDT by zeugma (http://www.freerepublic.com/focus/chat/3294350/posts)
[ Post Reply | Private Reply | To 1 | View Replies ]

To: zeugma
> Has that key been revoked?

Just as important: How many of the OSes and applications out there that trust signed keys go to the extra trouble of checking the revocation list also?

I can tell you that not all of them bother with that additional step.

And for those unfortunate users, that compromised key is still as good as gold. Except of course it's not...

12 posted on 06/15/2015 9:12:55 PM PDT by dayglored (Meditate for twenty minutes every day, unless you are too busy, in which case meditate for an hour.)
[ Post Reply | Private Reply | To 9 | View Replies ]
To: zeugma

If you have an internal corporate CA, you could turn off acceptance of external code signing certificates and only trust those issued by your internal CA. It would make installation of new third-party software difficult, but it would protect your network until the CRLs and OCSPs can be updated.


33 posted on 06/16/2015 4:21:10 AM PDT by rarestia (It's time to water the Tree of Liberty.)
[ Post Reply | Private Reply | To 9 | View Replies ]

Free Republic
Browse · Search 		General/Chat
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson