[Discuss] root CA bloat

[bogstad at pobox.com (Bill Bogstad)]

On Sat, Nov 22, 2014 at 2:30 AM, Richard Pieri <richard.pieri at gmail.com> wrote:
> On 11/21/2014 6:19 PM, Tom Metro wrote:
>>
>> Has anyone created an extension for Firefox that trims down the cert
>> list to something like the top 50 cert providers?

>...
> It gets better. Do a whois lookup on google.com. Then do one for yahoo.com.
> Now bing.com, microsoft.com, amazon.com, verizon.com, netflix.com,
> apple.com, comcast.com, att.com. Hell, any major commercial service or
> content provider. Chances are you'll see the same names: MarkMonitor and
> Corporation Service Company. These two companies are top-level CAs that
> control the DNS for most of the big-name players in the game. Which is to

You are conflating DNS and Certificate Authorities.   When I look at
the certificate used
for www.microsoft.com, it appears to be signed by Symantec via
Verisign.   In any case, controlling someone's DNS is not the same
thing as being able to sign an SSL certificate that will be accepted.
 And is far as DNS is concerned, I don't see how you could do anything
other then a world wide MITM attack via the whois entry because the
whois database is not queried in realtime.   While doable, I would
expect it to be noticed.   The important thing for actual DNS queries
is the chain of recursive and authoritative  DNS servers involved.
If a DNS attacker is on your physical path to these servers, (or he
manages to pollute the right DNS cache), attacks are relatively easy.
 If you are using DNSSEC (you probably aren't) then things get harder
again.   To be clear, I'm not saying that there aren't problems here.
I'm just saying that whois data isn't the "game over" that you seem to
be implying.

Bill Bogstad