Full Disclosure mailing list archives
Re: Trustwave and Mozilla (Resolved)
From: Jeffrey Walton <noloader () gmail com>
Date: Wed, 22 Feb 2012 21:03:05 -0500
On Wed, Feb 22, 2012 at 8:31 PM, decoder <decoder () own-hero net> wrote:
Hi, some important points seem missing here. First of all, Mozilla sent a CA communications that clarifies that issuing MitM certificates is not acceptable by the policy (in fact, the policy was *not* clear about that before, this case has never been there).
Ass Eddy Nigg pointed out (https://bugzilla.mozilla.org/show_bug.cgi?id=724929#c13), it was a clear violation: Basically this is not your problem if you don't dictate how this should be done. The Mozilla Policy at http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html requires: for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf; Failing to ensure the above would be a violation by that CA.
Furthermore, all other CAs (and according to Trustwave, quite a few CAs consider this "common practice"), have been given a deadline by which all of these certificates have to be disclosed (so they can be blocked) and revoked. Any CA not following this faces removal from NSS, which seems a clear statement to me.
Hmmm.... I'm not sure how allowing a confession with no retirbution is good for users or even ethical CAs. I think its sets a terrible precedent. Users can expect to be violated again because Mozilla implicitly condoned the actions by not penalizing the guilty. Ethical CAs a further victimized because they cannot usurp customers from CAs which were removed.
How is that compatible to "violating the end user"? In fact, revoking the Trustwave CA wouldn't have helped a lot to protect the end-user. It wouldn't have been possible to call out to other CAs and get them to stop their MitM business because every such CA disclosing their MitM cert policy would have been removed as well (otherwise it would be unfair, wouldn't it?).
Gothcha. The mob defense invoked by CAs.
It seems to me that the situation is by far not as easy as some people try to put it. Oh and by the way: Have you heard of any other browser vendor taking *any* steps against Trustwave?
Gotcha. The mob defense invoked by Mozilla. (I know, that's not Mozilla's position). For what its worth, if if Microsoft does not act it is the company's choice since I reported via email to their security email addresses (there was nothing relevant on Microsoft Connect). Out of curiosity: what do you think is going to happen when one of these CAs cooperates with law enforcement (rather than a court order) and gets caught doing it in the future? They now know they can act with impunity since Mozilla's sactions are laughable. Jeff
On 02/23/2012 01:12 AM, Jeffrey Walton wrote:It appears to be official. Trustwave issued MitM certificates, which is deceptive, unethical, and contrary to its agreement for inclusion. Mozilla just rewarded their violations of trust by continuing their inclusion. Apparently, agreements between Mozilla and CAs have no veracity as both are more than happy to violate the end user. Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=724929 NSS and Firefox Update: https://bugzilla.mozilla.org/show_bug.cgi?id=728617
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Trustwave and Mozilla (Resolved) Jeffrey Walton (Feb 22)
- Re: Trustwave and Mozilla (Resolved) decoder (Feb 22)
- Re: Trustwave and Mozilla (Resolved) Jeffrey Walton (Feb 22)
- Re: Trustwave and Mozilla (Resolved) Al Billings (Feb 23)
- Re: Trustwave and Mozilla (Resolved) Jeffrey Walton (Feb 22)
- Re: Trustwave and Mozilla (Resolved) Wesley Kerfoot (Feb 23)
- Re: Trustwave and Mozilla (Resolved) Ramo (Feb 24)
- Re: [funsec] Trustwave and Mozilla (Resolved) David C Frier (Feb 24)
- Re: [funsec] Trustwave and Mozilla (Resolved) Marcus Meissner (Feb 24)
- Re: Trustwave and Mozilla (Resolved) decoder (Feb 22)