fscked.org

Microsoft has committed to providing a timeline for fixing the SSL issues with Hotmail/Live by next Friday and has requested that the tool release be postponed at least until then. I will of course grant this request. I had previously already agreed to delay until end of day on Monday for a similar timeline from Google to provide automatically negotiated secure cookie support, but this does extend things a bit further. However, I will still provide copies of the tool to anyone who contacts me from an email matching the contact info of a domain that is fully paid up with its protection money to the SSL mafia for a current, valid SSL certificate.

At some point after receiving timelines from Microsoft and Google (depending on the duration and level of security provided), I will begin providing copies of the tool to anyone who matches the contact information for *ANY* domain with any type of unofficial SSL certificate.

At some further date after that, I will begin provide copies of the tool to anyone who asks, and then shortly after that, the tool will be posted publicly.

To me, this seems to be the best way to manage the situation to both balance the need for people to have the ability to test their sites with the need to not damage the general public by unnecessary early release of an automated exploit tool.