From this [0] list it seems there are a bunch of RSA root certificates, but they all use RSA 2048 or 4096, both of which are still secure (with 4096 having diminishing returns compared to RSA 2048 [1]).
The article was about RSA 512 which has been known to be weak and crackable for a long time [2].
EU is in discussions right now to expire COVID passes unless you have had recent vaccines i.e. booster shots. Which means any security mechanism that is defeated will just be fixed every 9 months.
Seems like a lot of hassle for a vaccine that is safe and will save your life.
France announced it two days ago, starting in mid January the health pass will only be valid if less than 7 months have passed since your second dose, if it's more than that you need a booster. I don't know how they'll implement this technically.
>UPDATE: French & Polish authorities found no sign of cryptographic compromise in the leak of the private key used to sign the vaccine passports and to create fake passes for Mickey Mouse and Adolf Hitler, et al.
Afaik it was a leaked login, not a leak of the keys.
The keys were not leaked but the web interfaces that allowed generation of these certificates was left open and accessible.
Passes have been sold (through the clear web and the dark web) but many have also been revoked since. As far as I know, the certificates being sold right now are either someone else's certificate (for places that don't check your ID when you walk in) and certificates generated by people working for places that also give out legitimate certificates, such as some pharmacies and hospitals.
There have been fraudulently obtained passes sold on the dark web. There have also been numerous arrests throughout the whole of Europe for this.
The vast majority of the dark-web suppliers are scammers - many of the adverts include a mix of QRs people have posted to social media and a large number of example QR. Including examples that I have generated in the past and used in presentations / on github.
Ah yes, repeat the evil dark web narrative. As if a VPS in Russia would get you into trouble. Criminals will be criminals, also if tor etc. wouldn't exist and non-criminals wouldn't get to be anonymous, too.
Thnx, murilax. I always get Konami and Capcom IPs mixed up ;)
Interestingly, looking at Japanese gaming majors by rev: Bandai (¥600B), Square (¥300B), Konami (¥280B), Sega (¥250B), Capcom (¥95B), I think it roughly tracks with value of IP warchests. Capcom, if it can get Disney to sign off on a Marvel v Capcom re-boot, may have an ace in the hole.
