Skip to content

Top Best Ask Show New Jobs

Certificate Authority change at HN from Comodo to Entrust. No warning?

7 pointslemonade13y ago8 comments

I pin my TLS certificates with the excellent Certificate Patrol browser plugin because otherwise it is just not safe. I just noticed that the certificate of HN changed from Comodo to Entrust, but saw no prior warning. I don't expect it to be a hack, but can someone confirm? (obviously I would have a problem trusting information posted back here as I'm questioning the potential veracity of the whole domain, but I'm willing to take the bet that I'm not really that interesting to mess around with)

8 comments

7 comments · 3 top-level

jacquesm13y ago· 2 in thread

Why would there have to be a prior warning? Certificates are re-issued all the time and sometimes a customer decides to move their business to a new provider.

SSLshopper has a neat little certificate chain checker:

http://www.sslshopper.com/ssl-checker.html#hostname=news.yco...

lemonadeOP13y ago

I think it is a best practise.

Surely, moving to another service provider is fully legit. However, a hijack with a rogue certificate (say from an undiscovered Diginotar) would not be visible to users - thereby exposing their credentials. So people use TOFU (trust on first use) mechanisms like Certificate Patrol:

http://staff.science.uva.nl/~delaat/rp/2012-2013/p56/present...

The future is of course DANE with DNSSEC, where you put information about the certificate and/or the CA in the DNS.

http://tools.ietf.org/html/rfc6698

rlpb13y ago

> I think it is a best practise.

I agree that it would make things more secure if it were a best practise. However, it is currently not. Nobody actually does it, and I think you'd be fighting an unwinnable uphill battle to change this.

If you're going to fight this, you might as well deprecate the CA system as best practice while you're at it. Does this sound unlikely? The same problem applies to asking websites to publish a suitable warning.

And how would you securely broadcast such a warning, anyway?

tokenizerrr13y ago· 2 in thread

> because otherwise it is just not safe

this is just not true

lemonadeOP13y ago

https://www.eff.org/observatory

"Browsers trust a very large number of these CAs, and unfortunately, the security of HTTPS is only as strong as the practices of the least trustworthy/competent CA. Before publishing this data, we attempted to notify administrators of all sites observed vulnerable to the Debian weak key bug; please let us know if your analysis reveals other classes of vulnerabilities so that we can notify affected parties."

bincat13y ago

People from Iran would disagree. Something should also be said about problems of CAs security.

kogir13y ago

Cloudflare. On and off.

j / k navigate · click thread line to collapse