Nobody wrote:
In their newsletter last night
(http://www.privsoft.com/archive/nws-who.html), PSC software (BOClean)
indicated that they believe that NSSCKBI.DLL contains some questionable
and demonstratively untrustworthy certificate authorities. Their
initial reaction was to include the file in their definitions and offer
to remove it. After complaints that this was a false positive and after
finding that removing the file broke Mozilla products, they removed
NSSCKBI.DLL from their definitions, reissued the update, and published
their newsletter explaining the course of events. They continue to
believe that the file (or rather some of the CAs in the file) is
untrustworthy but don't want to break FF.
Many of us rely heavily on FFs indication that a site is safe before we
enter personal or financial info. Please comment on whether you
consider PSCs concerns reasonable, and if so, whether an effort will be
make to remedy this problem.
The URL above gets so many things wrong, lets look at a few.
Mozilla's NSSCKBI.DLL file contains a number of "secure sockets layer" (SSL)
certificates, including certificates from several unknown and possibly dubious "certifying
authorities."
mozilla.org has a Certificate Policy which states which CA certificates
can get in, you can find it under
https://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html.
Almost all (I'm not sure if the very old ones were checked) the CAs
which are included were checked if they fulfill those requirements. In
the QuoVadis case which they mentioned they could have looked that info
up under https://bugzilla.mozilla.org/show_bug.cgi?id=261375 and in
netscape.public.mozilla.crypto.
The "issue" as we see it is that the end user is not presented with the ability to accept or decline certificates by these unknown quantities, and once a certificate is "stored" on the machine, then any certificate granted by these authorities to others is now considered both "valid" and "safe." Further, the option to VIEW the existing certificates is not available to the user through Netscape/Mozilla/Firefox and is instead hidden in the Windows registry in a difficult to view and modify means.
Also wrong, there is a certificate manager included in both Mozilla and
Firefox (check in Preferences window), where you can view all stored
certificates and delete them if you want. The certificates are stored in
the user profile, not in the registry.
The "root certificates" which this file places go into the Windows registry in
the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
and exists as "subkeys" of the above with GUID numbers to identify each subkey. Names are not used.
The data for the various root authorities is unfortunately coded as "binary" rather than text,
making viewing of the contents challenging, and no "viewer/editor" within Netscape/mozilla/Firefox
is apparently available for their contents.
I'm not to 100% sure here (I do not deal with the NSS/SSL part of
Mozilla that often), but I'm quite sure that nssckbi.dll has _nothing_
to do with this registry key. I doubt NSS writes anything to that
registry key. I still don't know how they did come to the conclusion NSS
has modified that registry key.
And "tinderbox" in the official name for this code is highly unfortunate too
A quick Google search would have told them what this is :) (#4 on Google).
I did not address all the errors on that page, but at least some and I
hope some things are a bit more clear now...
Frank
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
