[liberationtech] Facebook SSL certificates keep changing
Sky (Jim Schuyler)
sky at cyberspark.net
Thu Jan 19 09:37:00 PST 2012
The change from DigiCert to Verisign "and back" on FB could just be certain servers that have valid certs but are not in sync with the other FB servers. Your access to FB goes through different physical/logical servers most likely each time you log on. The variability would be a result of upgrading the certs "by hand" rather than by pushing them using scripts. All of this can be difficult in production environments unless everything is done perfectly, which of course it should be. Automation would reduce the chance of a misconfiguration in a single server, and reduce the changes of a rogue certificate being introduced, and also create a single point of failure (which might be either good or bad).
These operational issues should in theory all be "behind the scenes" and I don't know how many people outside of FB and big hosting operations (and their risk analysis techs) really track the ways in which these workflows can fail. I know I certainly did in some of my previous jobs, but we didn't talk much with folks outside the organization except that we shared "good ideas" a lot.
-Sky
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
CyberSpark.net
-Keeping the flame of free speech
and human rights alive online
On Jan 19, 2012, at 7:54 AM, Brad Beckett wrote:
> Has anybody else noticed that Facebook's SSL certificates change form
> DigiCert to VeriSign Trust Network and back every so often?
> I don't like the fact that it makes you unable to tell if you are a victim
> of a man-in-the-middle attack or not via compromised CA or "legal
> intercept".
>
> As big as Facebook, Google, and Twitter are, they should have their own
> root CA certificates in all major browsers, with published fingerprints or
> perhaps a combined effort of all three of those.
>
> Brad Beckett
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
>
> You will need the user name and password you receive from the list moderator in monthly reminders.
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
More information about the liberationtech
mailing list