[liberationtech] Facebook SSL certificates keep changing
Sky (Jim Schuyler)
sky at cyberspark.net
Thu Jan 19 09:19:05 PST 2012
I seems to be that certificate management even for some large sites is somewhat "manually" coordinated and the certs don't all change or get upgraded at the same time (this is separate from what you are reporting, Brad). My service ( http://cyberspark.net/ ) watched this happen with Google a couple of months ago when they renewed their SSL certs. (Triggered alerts here for several hours.) This was due to the large number of servers involved, and they were updated over the period of hours, not instantly.
I can watch other services, and will do so. The question is "who would benefit from knowing this?"
Putting the checks or certs/fingerprints in the browser might help, and then you have the problem up how the data get updated (a secure workflow would have to be invented and followed), and how to ensure that this process is secure from end to end.
-Sky
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
CyberSpark.net
On Jan 19, 2012, at 7:54 AM, Brad Beckett wrote:
> Has anybody else noticed that Facebook's SSL certificates change form
> DigiCert to VeriSign Trust Network and back every so often?
> I don't like the fact that it makes you unable to tell if you are a victim
> of a man-in-the-middle attack or not via compromised CA or "legal
> intercept".
>
> As big as Facebook, Google, and Twitter are, they should have their own
> root CA certificates in all major browsers, with published fingerprints or
> perhaps a combined effort of all three of those.
>
> Brad Beckett
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
>
> You will need the user name and password you receive from the list moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
More information about the liberationtech
mailing list