HOME · Twitter · Flickr · LinkedIn · publications · @ Ars Technica · Running IPv6 (Apress, 2005) · BGP (O'Reilly, 2002) · BGPexpert.com · presentations · firstname.lastname@example.org
Reading Bruce Schneier's blogpost on the heartbleed bug:
❝I'm hearing that the CAs are completely clogged, trying to reissue so many new certificates. And I'm not sure we have anything close to the infrastructure necessary to revoke half a million certificates.❞
Wouldn't it make sense to simply invalidate update SSL implementations to reject all certificates that predate the discovery of the heartbleed vulnerability? Even if all the the potentially compromised certs are added to revocation lists, most clients don't check for revoked certificates, leaving a huge opportunity for man-in-the-middle attacks using the compromised certificates.