{"id":572,"date":"2017-08-31T15:19:30","date_gmt":"2017-08-31T15:19:30","guid":{"rendered":"http:\/\/securitycurve.com\/?p=572"},"modified":"2017-08-31T15:19:30","modified_gmt":"2017-08-31T15:19:30","slug":"wosign","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=572","title":{"rendered":"Peace out, WoSign. Good news for everyone everywhere"},"content":{"rendered":"

So the browser community has spoken, and WoSign is toast. \u00a0For the purposes of this blog, I’ve selected the iconic image of Ted “Theodore” Logan (get it, because “woah”) as our mascot for this awesome news.<\/p>\n

The deal is that now, Microsoft<\/a>, Google<\/a>, Apple<\/a>, and Mozilla <\/a>have all concluded that WoSign is just way too shady for anybody to rely on it by default. \u00a0Like, for example that time they gave some random dude a certificate for GitHub<\/a>. \u00a0That seriously wasn’t good. \u00a0And now they don’t.<\/p>\n

I wrote a while back<\/a> on why it was really fluxoring important that we, as an industry, remove shadiness from the various trusted CA lists. \u00a0Why? \u00a0Because the economics of the public PKI are such that there is continuous downward pressure on the security of individual players within it. \u00a0If you don’t believe me that that’s true, go read the original post — it takes a while to get there, but it’s a fact jack<\/a>.<\/p>\n

Anyway, getting rid of WoSign is a useful step and keeps me optimistic that folks are taking these things seriously. \u00a0I still think that long-term, the answer is for additional teeth and scrutiny for the CAB Forum Baseline Requirements<\/a>. \u00a0Because having a trusted, not-for-profit, transparent entity maintaining the list of “shady” vs. “not shady” seems less “conflict of interest-ey” to me compared to each browser vendor ensuring compliance with the standard (not to mention it would streamline and strengthen the vetting process). \u00a0But a willingness to send known-problematic folks packing? That’s a good starting point.<\/p>\n","protected":false},"excerpt":{"rendered":"

So the browser community has spoken, and WoSign is toast. \u00a0For the purposes of this blog, I’ve selected the iconic image of Ted “Theodore” Logan (get it, because “woah”) as our mascot for this awesome news. The deal is that now, Microsoft, Google, Apple, and Mozilla have all concluded that WoSign is just way too […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[91,132],"class_list":["post-572","post","type-post","status-publish","format-standard","hentry","category-security","tag-pki","tag-x-509v3"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/572","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=572"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/572\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=572"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=572"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=572"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}