<% Dim strAcceptLanguage strAcceptLanguage=Request.ServerVariables("HTTP_ACCEPT_LANGUAGE")
'response.write strAcceptLanguage if instr(strAcceptLanguage,"zh")>0 then
Response.Redirect "cps.htm" else Response.Redirect "cps_e.htm" end if %>
Yeah, I still think it shouldn't be considered a duplicate. Especially since going directly to WoSign didn't end up solving the overall problem, which is what the linked duplicate question says to do.
Stuff like this is depressing. Are we ever going to have any semblance of privacy and security on the Internet?
Everyone has been hacked, political figures, governments, businesses. In 100 years I think people are going to look back on this time and think we were all crazy like how we see safety in the early auto industry.
The early auto industry? They'll likely think we're crazy looking at our current auto industry. Who doesn't know anyone who was killed or seriously injured in a car crash?
How much of that is avoidable though? You still have people zooming around in big metal/composite boxes. There's only so much that can be done, especially given the culture around cars.
>Domain validation is hard. It isn't as simple as one may think, and WoSign isn't the first to have a problem. They are still a trusted CA for now, and hopefully they will get their act together quickly.
The vulnerability exposed seems like a basic unit test to me (only assume ownership of validated domains or sub-domains - NOT all domains with a common root (or perhaps substring? the article is sparse on details)).
I had already lost faith in the 'everyone can be a root if they describe their process' model of trust before reading this post, but if software vendors that rely on trust anchors on their users behalf can't be bothered to do even basic due dilligence beyond vendor-sponsered audits, I'm left speachless.
Perhaps my experience with FIPS-140 has jaded me, but after seeing so much more money spent on paper-pushing than actual vulnerability assesment (and remediation), I can't help but feel lost after reading this.
The only long term solution here is a distributed decentralized DNS service. When there's "default-trust" at some locations (browser CAs), There's weak-points in the security chain.
What are the best available dDNS solutions. Ideally these are initially backward compatible with redular DNS to help adoption, and then just disregard CAs.
Imagine your regular developer performing a npm install which pulls in code from a compromised MITMed github URL. That's straightforward rootkit compile and install access!
The root cert for www.schrauger.com is StartCom Certificate Authority. Isn't it their (StartCom's) responsibility to make sure the owner of Certification Authority of WoSign (the next cert in the chain) is acting in accord with some terms and conditions? Secondly, should the browser vendors remove StartCom CA as a trusted root? Do they not do that because all the StsrtSSL sites would break? Fine with me, personally.
WoSign is included as a root certificate. When they first started, they weren't in all browser stores, so StartCom cross-signed their root certificate.
That way, WoSign could create certificates while they waited for browsers to update with their root certificate. It also helps for legacy/embedded systems that don't get updates, since StartCom has existed far longer. Due to the cross-sign, all WoSign certificates are still compatible.
IIRC not in this case because WoSign had been accepted as a root, it just wasn't in all browsers yet. LetsEncrypt went through the same process -- it was accepted, but it takes time for root store updates to reach all consumers so in the meantime it was cross signed by some other ca. That ca has no responsibility here, since letsencrypt was itself accepted as a CA and was a peer (and is thus fully responsible for its own actions)
