Ask HN: what happened to LastPass?
http://lastpass.com yields:
An error occurred during a connection to lastpass.com.
Peer's Certificate has been revoked.
(Error code: sec_error_revoked_certificate)
10 comments
[ 4.3 ms ] story [ 28.1 ms ] threadEDIT: They have a new cert online now. One which hasn't been revoked. The issuer is the same. The new cert was generated two days ago.
EDIT2: Their old cert. The one which was revoked wasn't due to expire for another 323 days. I wonder if this is a precaution in case they actually were hacked and their private ssl key was compromised. Hopefully they'll explain what happened.
EDIT3: Here's a screen grab of the information Certificate Patrol gave me about their old and new certificates side by side: https://grepular.com/lastpass.png
EDIT4: On twitter they are stating: "As a security precaution we acquired a new security certificate, they revoked our old one a bit too soon. Fixed" - https://twitter.com/lastpass
EDIT5: Their latest tweet: "Our new SSL cert is active, this was a planned security upgrade : In the words of the Hitchiker's Guide to the Galaxy, DON'T PANIC."
Checking out their latest blog post from 4 days ago: http://blog.lastpass.com/2011/05/lastpass-security-notificat... it says:
"Multiple security experts and firms were brought in to help us, we've engaged one firm to do a further source code based review."
I'm guessing one or more of these security experts advised that they should get their certificate revoked and replaced purely as a precaution. The new cert has the same expiry date as the old one.
In practice, SSL (with CA certified keys issued by lame public CAs) is only really protection from passive eavesdropping anyway; there are enough bad or lax CAs out there that you have to assume an attacker can get a key for an arbitrary site, or can steal a site (not protected in an HSM) from almost any site.
There's nothing really wrong with the X509 PKI in the abstract, but it doesn't really work well for real identity on the Internet. Protection from passive attacks is worthwhile, but it's not worth the disruption to your users to push beyond that to try to keep only one key at a time out there.