Full Disclosure mailing list archives

Re: Trustwave and Mozilla

From: decoder <decoder () own-hero net>
Date: Mon, 13 Feb 2012 13:52:41 +0100

Hi Jeffrey,

On 02/12/2012 11:54 AM, Jeffrey Walton wrote:

For what its worth, pinning the certificate can usually remediate
these sorts of MitM attacks, but Mozilla subverted it:
http://ssl.entrust.net/blog/?p=615.


Please take a look at our security roadmap (
https://wiki.mozilla.org/Security/Roadmap ). You will see that CA
pinning is a P1 Feature which means it is actively being worked on. In
fact our update service does already some sort of pinning (for securely
retrieving updates), it's just that failures are not reported right now.
It's possible that this sort of pinning could be extended to other
services and also alert the user (and/or us, if that is possible somehow).


Cheers,

Chris

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Trustwave and Mozilla Jeffrey Walton (Feb 12)
- Re: Trustwave and Mozilla Valdis . Kletnieks (Feb 12)
- Re: Trustwave and Mozilla decoder (Feb 13)
- Re: Trustwave and Mozilla Nick Boyce (Feb 13)
  - Re: Trustwave and Mozilla Nick Boyce (Feb 13)