On 19/01/2016 10:15, Ryan Sleevi wrote:
On Mon, January 18, 2016 9:05 pm, Eric Mill wrote:
Really? Given your last few years of experience, if you could time travel
back to 2012, you would tell Past Ryan Sleevi to make a different decision
at that time about adding a flag for MD5 support in the enterprise?
Yes.
Was there significant observed negative fallout of that decision?
Yes.
...
Only to an extent. You're again presuming the enterprise MITM box, which
may show for sites like Amazon (of course, it would not show at all for
enterprise MITM boxes that blocked it). This would not, however, show up
at all for the case of using UAs to access internal enterprise resources,
which is a far greater (by volume of users, though necessarily not volume
of certificates) use case.
Indeed. In our small enterprise, I have observed the following sources
of non-public weaker certificates:
1. Embedded https administration interface servers in difficult to
upgrade hardware (such as otherwise functional HP printers long past
warranty, with the added sting that downgrading to even older
firmware was the only solution for a major vulnerability).
2. An internal CA, which has been almost completely supplanted by a new
one now. It used SHA-1 solely for compatibility with older clients
and may survive in that role as long as such clients are needed for
special tasks.
3. MITM-box like behavior in endpoint antivirus programs (these default
to intercepting SSL/TLS traffic to scan it for viruses. I have not
checked the algorithm used to signing the pseudo-certificates used
for traffic that never leaves the computer on which the signature is
checked, and this is going to be brand-specific anyway.
4. E-mail certificates compatible with Outlook 2007. That one is a
real bummer because of the upgrade costs. And the lack of
confidentially when using "cloud-focuses" programs that do too much
telemetry.
My point is that the over-reliance on metrics underestimates (on orders of
magnitude) the impact to enterprises, which is why IF a user agent wishes
to support enterprises (and it's a complex question of business and
product direction), more nuance is needed.
Indeed. In any security conscious environment, telemetry is an alias
for industrial espionage and can easily get a product thrown out if
blocking the telemetry isn't trivially easy and reliable.
...
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
