Cheating Chinese certificate authorities, caught by Certificate Transparency, will get the death penalty


#1

Originally published at: http://boingboing.net/2017/07/11/cheaters-never-prosper.html


#2

Talk about clickbait… The title seems to indicate that the people associated with the certificate authorities were sentenced to death by China for their crimes. I was getting ready for a stirring dissertation on the ethics of ratting out even objectively harmful entities under these circumstances. Alas. (Or, rather, thank goodness.)


#3

Yep. My initial parsing of the headline also involved humans getting shot. Or hanged; I’m not up to date on the current fashions in PRC execution methods.


#4

Yeah, “Death penalty” and “China” just trigger all sorts of predictive patterns of thought.


#5

Surely BoingBoing would never abuse our trust by writing clickbaity headlines.


#6

Worst. Headline. Evar.


#7

will get the death penalty

will get the death penalty, maybe.


#8

TBF Cory just riffed off the ZDNet headline.
"Google guillotine falls on certificate authorities WoSign, StartCom"
Unless Charlie Osborne meant that they’d be amputating a limb. Or going for a really avant-garde hair-cutting approach. One never knows for certain.


#9

I’m so tired of this shit.


#10

Given China’s well known prediliction for handing out the death penalty for corporate malfeasance, the title here is misleading and unnecessarily provocative.


#11

Do people actually leave any Chinese cert authorities enabled ? ( Or god forbid the Hong Kong post office)


#12

Yes. The ‘tyranny of the default’ indicates that everyone leaves everything on that’s on by default.

If you asked most people if they allowed the certs from the Hong Kong post office enabled, their answer would most likely be “the what from the who?”


#13

TBF, the original headline is pretty clearly not literal (since there isn’t a real “Google guillotine” [YET?!?!]), and clearly names “WoSign, StartCom” as the recipients of the punishment.

I feel like the BB headline just illustrates that the “Cory Hyperbolism Infuser” algorithm needs a rewrite.


#14

Those rogue CAs richly deserved it.

On the other hand, Symantec (and previously COMODO) got a mere slap on the wrist for offenses just as serious, because they are too big to fail. If Chrome were to reject Symantex certs, about 1/3 to half of all websites would stop working and people would switch to Firefox or Edge. This puts them (and other browser makers) in a bind and you can just feel the frustration from the likes of Ryan Sleevi at Google.

Unless the browser makers agree to coordinated bans along with some way to notify webmasters so they replace their certs ahead of time, scumbag companies like Symantec will continue to abuse their certificate-issuing with near impunity.


#15

Indeed. Well put complaint.

I thought clickbait headlines were supposed to work on mouth-breathing dullards, not erudite techies. Guess BB has other ideas.


#16

Yeah, it’s almost all @doctorow. What is his deal?


#17

You know, I consider myself to be computer savvy yet it’s never occurred to me to disable a specific CA. Nor that I even could. Or know where to learn what CAs I should doable.


#18

I like the neologism, “doable” as an antonym for “disable”.


#19

I guess the principle of least astonishment doesn’t apply to headlines.


#20

Now I can’t trust anybody. Except you two.