And it shouldn't have been. These are two separate questions.
Think about it. If you connected to my blog, would it actually give you any useful information if Thawte assured you I am who I say I am? You don't have any reason to trust me more than you would trust someone pretending to be me, because I'm some rando with a blog you got linked to.
What use is TLS if I can't know that when my browser says I'm talking to example.com, I'm actually talking to example.com? I've got a secure connection... to literally anyone who can mitm me. PKI isn't 100% secure, but it raises the barrier significantly. I, as someone who owns a coffee shop or runs a corporate network, can't just go out and get a cert for google.com.
So do you trust that Comodo (or any one of the other 180 or so CAs your browser trusts) will not issue a certificate for your bank to the wrong person, after reading this bug report?
I mean, obviously my dream solution where my bank hands me a USB stick with their public key on it when I open an account isn't really feasible, but this bug report makes me wonder what value PKI is really adding.
If that happens (and there are a fair number of pieces that had to fall into place for this attack to work) it puts us back to where it would be if we had no CA. So, do I have absolute confidence? No. But I think the risk is significantly reduced.
