oops199 wrote:
Well now based on what Frank Hecker has posted, this is really getting interesting. First he stalwardly defends FF. Then he acknowledges that much of what was reported and commented on is in fact not wrong. And now he begs off as not being an expert.
I'm sorry, I don't understand your point here: Where exactly did I "[acknowledge] that much of what was reported and commented on is in fact not wrong"?
Of PSC's various claims (that NSSCKBI.DLL was malware, that Mozilla/Firefox stored its certificates in the Windows registry, that Mozilla/Firefox provided no way to view/edit/delete certificates, etc.) most if not all are either wrong or at best misleading.
Mele's claims about Firefox behavior in deleting certs do in fact have some validity, at least in terms of the UI issues, which is why I filed a bug report about it. However as I noted, although the current Firefox behavior may confuse users it does not in fact adversely affect their security -- if a user "deletes" a pre-loaded CA cert in Firefox that cert is indeed deactivated from use, even though it still shows up in the list.
Other than that one issue I don't see much if anything where I'm "[acknowledging] that much of what was reported and commented on is in fact not wrong".
Not ragging you, Frank. Just pointing out the irony of an aggressive defense that does not stand up under scrutiny. So please lets get a Mozilla Security expert in here.
Hey, I'm not proud. If I've written anything that's incorrect then I'd be glad to accept correction from any of the Mozilla crypto/security developers reading this newsgroup.
Originally I got interested in this as a result of a post in the GRC newsgroups. And I was reluctant to believe that my favorite browser came "preloaded to trust" certifs from sites that have been publishing improperly attributed certs and ones that are pretty much unheard of. Now I am glad I did. This needs some additional review.
As I wrote earlier, we've been reviewing CAs for several years now. If you or anyone else has a specific complaint about a specific CA, and you can back it up with specific evidence, then we're happy to look into it.
Regarding CAs that in your opinion "are pretty much unheard of", there are lots of CAs in the world beyond Verisign, Thawte, etc. This is especially true outside the US, and we ship Firefox worldwide, with a single worldwide pre-loaded root CA list. Many of the CAs that you're unfamiliar with are in fact well-known in particular countries and regions, and are perfectly legitimate CAs.
Regarding the claims about CAs "publishing improperly attributed certs", again some specific facts would be welcome: which CAs? which certs? and so on. Also, I'm not sure what you mean by "improperly attributed certs": Do you mean certs issued to someone who falsely claimed to be someone else? (For example, if a spyware author claimed to be Microsoft and got issued an ActiveX code signing cert.) Or do you mean certs issued to someone who then proceeded to do bad things? (For example, if a company got a code signing cert and then used it to sign malware.)
The former problem (issuing certs to imposters) is in fact something CAs are supposed to prevent through their procedures. If for some reason the procedures don't work and something slips through then CAs are supposed to address the problem by revoking the certificate. If particular CAs are consistently doing a poor job on both the front end vetting of applications and the back end revocation of bad certs then we'd certainly want to re-look at that CA. But, again, mere allegations aren't enough; we have to have some real evidence.
The latter problem (people getting certs and then doing bad things) is something CAs can't necessarily prevent on the front end (because the person or company getting the cert may not have done anything fraudulent yet), but could address on the back end by revoking certificates. Again, if you or anyone has evidence that a particular CA is falling down on the job here then we'd be glad to consider it.
If FF lets you "delete" an item and then puts it back...??? well certainly makes sense and we can be sure every user will spend lots of time assuring that the delete was deleted.
As I wrote in my previous message, the UI around "deleting" pre-loaded certificates should definitely be changed to make it clearer what's going on.
So can we get a discussion of how this relates to improving phishing. So that the next time I go to my bank and end up at "check free", I can beleive the cert that is the ssl from my own bank??? Sounds like the pathway here is muddled enough so as to be way too exploitable.
I'm unclear on what you're referring to here. Are you referring to the issue where some banks redirect you from their own site (e.g., "bank.com") to another site (e.g., "checking.com")? I agree that this can cause confusion for users, however that's a problem that the banks themselves caused and are responsible for; I'm not sure what Firefox could do to address this issue.
So regardles of the proceeedure that seems to be referenced as a defense for including the listed root certs, the results are munged and users stuck with "push".
I'm sorry, I'm not exactly sure what you meant by this last sentence. In any case, certificates and CAs are *not* in and of themselves a defense against phishing and related online fraud. At best a CA verifies the identity of a site's operator, or at least confirms that the site operator owns and controls the domain in question. However CAs don't in any way verify that the people getting certificates are legitimate businesses. It's perfectly possible for phishers, scammers, etc., to get certificates for their sites.
Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
