Whoops! So much for open source allowing for greater scrutiny and security.
It mostly does, of course. But greater transparency also means you need excellent auditing and tracing procedures. This highlights the potential dangers, as well as the daftness of the current trust-based security model.
> Whoops! So much for open source allowing for greater scrutiny and security.
There are two certificates from the same CA. Microsoft ships one of them. Are you willing to vouch for every certificate Microsoft ships with Windows? Are you sure their process is flawless? Are you absolutely sure their code shows all certificates they trust and there is no sneaky unlisted CA in their whole HTTPS stack?
If a public discussion on what could be a massive internet authentication breakdown does not constitute "greater scrutiny and security", I wonder what does.
> Whoops! So much for open source allowing for greater scrutiny and security.
I think you're jumping to conclusions here. For one it did get detected, secondly the theory is that faults are detected earlier and fixed faster, not that they don't occur at all. So no matter how long this has been in the wild, the question is how long it would have been there if it had not been open source. My guess is in this particular case just as long, but there are many other cases besides this one.
It mostly does, of course. But greater transparency also means you need excellent auditing and tracing procedures. This highlights the potential dangers, as well as the daftness of the current trust-based security model.