Subject: Deutschsprachige CAcert Support Liste
List archive
- From: Michael Tänzer <michael.taenzer AT cacert.org>
- To: cacert AT lists.cacert.org
- Cc: cacert-de AT lists.cacert.org
- Subject: Re: Lie about StartSSL
- Date: Sat, 20 Mar 2010 01:50:32 +0100
- Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
- Openpgp: id=9940BEF1
Hi Nik,
Dominik George schrieb:
> a few days ago, I stated that StartSSL was generating private keys
> server-side. This news was published by Heise and not verified well enough
> by me (however, it looked as though they did it, because that stupid WebKit
> browser which must not be named did not look like being busy).
>
> Heise demented the article a few days later, so do I, as after another
> verification, StartSSL does not seem to have comparable security leaks.
Disclaimer: I never used StartSSL, I'll probably never do. The following
is in reliance on screenshots on heise.de
Yes, client certs are always generated in the browser but according to
the following screenshot generating the private key of server certs on
the server side seems standard for them (you need to explicitly skip it)
http://www.heise.de/security/bilderstrecke/bilderstrecke_881188.html?back=880221;bild=6
Could someone verify this claim (e.g. HTML sourcecode of the page the
screenshot is referring to)? I would do it myself but I really don't
want to create an account with them.
Regards
--
Michael Tänzer
CAcert Support Team Leader
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
- Lie about StartSSL, Dominik George, 03/19/2010
- Re: Lie about StartSSL, Michael Tänzer, 03/20/2010
- Talking about CAs, Ian G, 03/20/2010
- Re: Talking about CAs, Dominik George, 03/20/2010
Archive powered by MHonArc 2.6.16.