There is absolutely no reason that I'm aware of not to think the certificate authorities weren't compromised from the very beginning.

Even if you had compromised a CA, there would be a huge risk of being exposed the very first time you abused it. You have to send a legitimate certificate to the site owner, otherwise they would not be able to setup their https site in the first place. However a CA cannot abuse the legitimate certificate because they don't know the corresponding secret key. So in order to do any abuse, you have to forge another certificate.

Now there are two certificates each of which is definitely visible to a small set of legitimate users. If certificate pinning was widespread, then that would be enough to guarantee exposure. We just need a standard for chaining the legitimate certificates over time, such that certificate pinning can work well when the legitimate certificate is replaced with a new legitimate certificate before the old has expired. Ideally it would be designed in a way, that does not require cooperation from the CAs, because they might be afraid of losing control, if such a chaining was readily available.

It is useful and important to focus on as strong security against passive attacks as possible, even if it doesn't improve security against active attacks. Strong security against passive attacks will mean active attacks are needed in more cases, and it also means it is hard to make those active attacks well targeted. And systematic active attacks is both difficult to pull off and also easily detected. Additionally widespread deployment of cryptography, which is only resilient to passive attacks is easier, since it does not rely on key distribution.

It is just important to ensure that you still do use methods secured against active attacks, when the extra security is really needed. Additionally protocols must be designed such that an active attack is required to find out if a connection was protected against them. If you can passively tell if a connection is secured against active attacks, then passive security is practically worthless.

My google search on the issue came up with Ghana, Burkina Faso, and Bangladesh. Two of which seem to be African, the latter South Asian I guess.

I'm sure you can come up with better data.

Besides infant mortality, there's probably unreported miscarriage.

When I was a kid I did Unicef collection every Haloween. We got an orange cardboard coin box at school, and collected donations to it along with our trick-or-treat. Unicef used these funds to build water wells for people in Africa who had only access to contaminated surface water.

A decade or two later, we found that many of these wells accessed aquifers that were contaminated by arsenic. And that thus we kids had funded the wholesale poisoning of people in Africa, and that a lot of them had arsenic-induced cancers that were killing them.

OK, we would not make that mistake again, and today we have access to better water testing. But it caused me to lose my faith that we really do know how to help poor people in the third world, no matter how well-intentioned we are.

And we had better not go around curing disease withoput also promoting birth control. Despite what the churches say, and the local dislikes and prejudices. Or we'll just be condemning more people to starve.

Well, nuclear reactions that we can turn off like laser-initiated fusion are a lot nicer than the alternatives. The inside of your car engine is a raging inferno shot with electric sparks and compressed with inexorable steel cylinders. That doesn't keep you from going on a nice drive with your sweetie.

Agreed. Abelson should be ashamed of himself.

Can someone tell me why it's newsworthy that MIT clowns exonerate themselves & blame their victim?

Other than to demonstrate how low some people can go.

"Caught" would imply that it can't exit the area or phenomenon. In fact it seems to be traveling through the phenomenon. It would be really interesting if its vector chaged, and I thought that was what the headline meant.

This might as well be how Blackberry, Nokia, and Palm blew it. And I'm probably leaving off a few companies.

IMO it all comes down to arrogance about your own platform. In Nokia's case that was Symbian.

What reasons are there to cause one to want to generate a new key instead of reusing the old one?

For the same reasons that you would rotate passwords. It is just a precaution in case it accidentally was leaked. When changing certificate anyway there is no inconvenience to the users from replacing the key, so you might as well replace it. It would for example help a bit in case an old backup of the webserver had been leaked. The difference in security is minor though, there are much greater threats from insecure CAs.

Certificates have an expiry date. They are supposed to be changed before the expiry date is reached. On a well managed system, you'll never see a certificate which has less than a week left of its validity period. Once the certificates are changed, it should be considered best practice to rotate the server key as well, so the new certificate will always be signing a different key from the previous certificate.

It would be nice to have more information to verify the correctness of the new certificate than just the existing CA certificate chain. I would like to see a small extension to SSL where the server can tell the client that any new certificate will be signed using the current certificate. When the client is told that, it can cache the current certificate and warn the user if it sees a new certificate lacking a chain from the old to the new certificate.

Yes, when I saw this I thought that this was a reason to make motherboard IOMMUs a security feature. Also, the DMA destination memory pages should not have the executable bit turned on. Recent generations of Intel/AMD CPUs have provided the ability to turn that bit off.

Great that you found good people to handle those important things.

Thanks, bro :)