Hi Richard, I was hoping to do some community organizing in here before going to the CA's individually. Some thoughts: Going to a CA and demanding (?) that they revoke certs is not a normal situation and I'm expecting some will push back. It would be advantageous to have a more unified voice to articulate what the security community expects. For the CA-related folks who participate in this forum I was hoping to hear if any of them anticipate problems or concerns. In particular I'm thinking of the pay-to-revoke policies. When you say configure the browser, I assume you mean adding the 738 certs in the trust store with all the bits disabled? This would be the option of last resort in my mind. My expectation is that CA's will comply because it is in their best interest to keep poorly maintained sites from being associated with their brand. Maybe this isn't a controversial issue. I hope not. This situation provides us with a good opportunity to provide greater definition to an abstract concept like "a secure internet". This is in the interest of site admins, CA's, and the general public alike. So once we get a list of the sites, does anyone have thoughts on the best way to disseminate the information and go about forcing action?
Hi there, To be clear: Mozilla does not revoke certificates. In some specific cases (e.g., private browsing), Firefox will refuse to connect to a web site, but this is not the same as the certificate being revoked. It's possible that we could configure the browser to not connect to known vulnerable sites. However, there's a fair degree of administrative overhead involved in maintaining that list, so I would be inclined to only pursue this option if there were a large number of sites affected or if some especially important sites were affected. Unfortunately, in the context of the web, 738 sites is not that many. I would encourage you to make your case to the CAs that have issued certificates to the vulnerable sites. --Richard On Sep 30, 2014, at 11:15 PM, [email protected] wrote: > According to SSL Pulse there are 738 sites that are vulnerable to Heartbleed: > https://www.trustworthyinternet.org/ssl-pulse/ > > I just don't see how that can be tolerated. I'm assuming this data means we have sites that are presenting valid certs even though their private keys can be (and may have already been) compromised. That's not acceptable. > > To get the discussion going, I think one way to move forward is for the issuing agencies to notify the offending sites that their certificates will be revoked in, say, 21 days. If a site takes no action then secure connections will fail after that period, which may or may not be a problem for those sites. > > If a site wishes to avoid that disruption then the following needs to happen: apply the relevant patches to the vulnerable system; generate a new public/private key pair; get a new certificate issued; and finally install the new cert before the end of the 21 day window. > > > I imagine that could be controversial but we have to start somewhere. So speak up! > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy | ||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
