[Ach] (no subject)

Andreas Mirbach a.mirbach at me.com
Sat Jan 11 22:46:57 CET 2014

Even if those certificate authorities have not been hacked, you have to ask yourself "do you thrust these thirth party in your chain". For websites that need to be reached over the internet by unknown clients, you need them. But if you know your clients e.g. your companys computer you can/should use your own CAs. In my opinion there should be a more detailed section about certificate authorities. 

Andreas Mirbach

Sent from my iPad

> On 11.01.2014, at 21:36, Rainer Hoerbe <rainer at hoerbe.at> wrote:
> Finden SHA1-collisions requires 2**63 tries (may be a bit less). Faking a certificate this way is quite expensive, there are cheaper ways.
> No you do not be worried, because the security value of those commercial certificates ist near zero anyway. GoDaddy have been insuniated that they have been hacked in the past. The question is why to pay for a certificate of low value, when you can get the same product  elsewhere for free, e.g. Startssl.
> - Rainer
>> Am 11.01.2014 um 15:02 schrieb Ahmad Bilal <ahmadbilal200854 at gmail.com>:
>> I have a question. I recently bought a certificate from godaddy, and during the installation I chose SHA-2, but the Certificate Signing Request in raw form has SHA-1 written on it, and not SHA-2. Should I be worried?
>> -- 
>> Ahmad Bilal
>> _______________________________________________
>> Ach mailing list
>> Ach at lists.cert.at
>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cert.at/pipermail/ach/attachments/20140111/dd09a5cc/attachment.html>

More information about the Ach mailing list