On 2011-09-08 20:02, nlsp wrote:
On Sep 8, 7:12 pm, Chris Palmer<[email protected]> wrote:
On Thu, Sep 8, 2011 at 9:33 AM, nlsp<[email protected]> wrote:
This boils down to whether it is okay to prioritize availability over
security.
Availability is a security guarantee just like confidentiality or integrity.
I disagree. To me, security means integrity prevails over
availability.
Still, the actual question remains: does the android browser
support CRL or OCSP in any form?
Even desktop Firefox has security.OCSP.require set to false. Read the
Imperial Violet post again carefully.
So there is security.OCSP.require and it can be set true. Good.
And since CRLs can be cached, it would be perfectly sane to have a
cached CRL on device for an intermediate that has been compromised,
They get kind of big.
such as currently Diginotar “Staat der Nederlanden *” intermediates.
And note that removing the Diginotar root from cacerts.bks does not
help since the intermediates are chained up to a “Staat der
Nederlanden” root which is not compromised and should remain trusted.
Actually, no, Staat der Nederlanden is also dead:
https://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow...
You’re wrong. I’ve read all that. The *intermediate* is dead. That is,
it should be.
On android, it is alive and trusted. Not good.
You are right. That is the same situation as with desktop browsers.
After certificates from DigiNotar being publicly revoked, eg. Mozilla
released updates for Firefox and Thunderbird (and maybe other products).
There were even two updates of those in short period, as news about
compromise were updated. This means, those products have poor security
design, as availability is valued more than integrity. Root certificates
are bundled within applications, what means each change in CAs require
updating application itself.
On the other hand, Opera browser does not contain info on CA's. In order
to check a certificate path, it "consults" Opera's server, which is a
central (and the only one) place to hold such info. It means, that the
minute an update is issued to CA's credentials the info is "propagated"
to all browser installations. You can read further on that at
http://my.opera.com/securitygroup/blog/2011/08/30/when-certificate-authorities-are-hacked-2
Unfortunately, the first situation applies to most of Android
applications, even system itself. I will repeat after you: Not good.
BR,
polishcode
--
You received this message because you are subscribed to the Google Groups "Android
Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
