[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Trustwave and Mozilla (Resolved)



On Wed, Feb 22, 2012 at 8:31 PM, decoder <decoder@xxxxxxxxxxxx> wrote:
> Hi,
>
> some important points seem missing here. First of all, Mozilla sent a CA
> communications that clarifies that issuing MitM certificates is not
> acceptable by the policy (in fact, the policy was *not* clear about that
> before, this case has never been there).
Ass Eddy Nigg pointed out
(https://bugzilla.mozilla.org/show_bug.cgi?id=724929#c13), it was a
clear violation:

Basically this is not your problem if you don't dictate how this
should be done. The Mozilla Policy at
http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html
requires:

    for a certificate to be used for SSL-enabled servers, the CA
    takes reasonable measures to verify that the entity submitting
    the certificate signing request has registered the domain(s)
    referenced in the certificate or has been authorized by the domain
    registrant to act on the registrant's behalf;

Failing to ensure the above would be a violation by that CA.

> Furthermore, all other CAs (and
> according to Trustwave, quite a few CAs consider this "common
> practice"), have been given a deadline by which all of these
> certificates have to be disclosed (so they can be blocked) and revoked.
> Any CA not following this faces removal from NSS, which seems a clear
> statement to me.
Hmmm.... I'm not sure how allowing a confession with no retirbution is
good for users or even ethical CAs. I think its sets a terrible
precedent. Users can expect to be violated again because Mozilla
implicitly condoned the actions by not penalizing the guilty. Ethical
CAs a further victimized because they cannot usurp customers from CAs
which were removed.

> How is that compatible to "violating the end user"? In fact, revoking
> the Trustwave CA wouldn't have helped a lot to protect the end-user. It
> wouldn't have been possible to call out to other CAs and get them to
> stop their MitM business because every such CA disclosing their MitM
> cert policy would have been removed as well (otherwise it would be
> unfair, wouldn't it?).
Gothcha. The mob defense invoked by CAs.

> It seems to me that the situation is by far not as easy as some people
> try to put it. Oh and by the way: Have you heard of any other browser
> vendor taking *any* steps against Trustwave?
Gotcha. The mob defense invoked by Mozilla. (I know, that's not
Mozilla's position).

For what its worth, if if Microsoft does not act it is the company's
choice since I reported via email to their security email addresses
(there was nothing relevant on Microsoft Connect).

Out of curiosity: what do you think is going to happen when one of
these CAs cooperates with law enforcement (rather than a court order)
and gets caught doing it in the future? They now know they can act
with impunity since Mozilla's sactions are laughable.

Jeff

> On 02/23/2012 01:12 AM, Jeffrey Walton wrote:
>> It appears to be official.
>>
>> Trustwave issued MitM certificates, which is deceptive, unethical, and
>> contrary to its agreement for inclusion.
>>
>> Mozilla just rewarded their violations of trust by continuing their
>> inclusion. Apparently, agreements between Mozilla and CAs have no
>> veracity as both are more than happy to violate the end user.
>>
>> Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=724929
>> NSS and Firefox Update: https://bugzilla.mozilla.org/show_bug.cgi?id=728617

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/