12 comments

[ 2.9 ms ] story [ 32.8 ms ] thread
I think the BBC meant white hat, not white hack when mentioning Moxie Marlinspike? Or am I being painfully naive and missing something?
Article's changed now - the BBC quite often make adjustments to the text after it's first published.
(comment deleted)
The article doesn't seem to mention this, and I can't find anything obvious on their site, so does anyone know if these guys are going to disclose with the vendors before publishing?

I know there are plenty of sites that won't do anything unless they're forced to, but there are those of us that do care and would like to know before the whole world does.

So let's say I bought a compromised version of SSL from a certificate vendor. Could I legally ask for my money back? It seems like you were sold something under false pretenses.
probably depends on what kind of contract terms your jurisdiction is willing to ignore on principle, as you almost certainly signed away all such rights when you bought it.
Most of these SSL misconfigurations has nothing to do with certificates.
I can see this going badly. I understand they probably have altruistic motives but I can see some website owner claiming their vulnerable site was 'safe' through obscurity but was attacked due to this public shaming. Should be interesting.

Can anyone correct me/inform us as to whether the site owner will have a leg to stand on in court?

Most laws and regulations require a site to provide "reasonable" and "adequate" protection. While those are loaded legal terms it is generally interpreted in such a way that a site should be proactive enough to be updated against known and patched vulnerabilities. It looks like TIM is reporting on those -- I didn't see any zero-day stuff -- so, to answer your question, I think TIM has a very defensible position if faced with a suit.