I Googled "mozilla ca bundle" [1] over the weekend, found something that
made me go "wat," and wanted to run my observations past this list in
case I missed something.
Before I present my findings, I should say that while I have basic
understanding of what CAs are, how the chain of trust works, etc, I'm
largely ignorant of how the CA bundles are distributed and consumed in
the wild. Some of the statements I'm about to make may be inaccurate or
influenced for novice understanding. However, the statements were
influenced by content I found on the internets, so they may be
indicative of what "average" developers and system admins believe.
Skipping the back story of how I got here, I found myself wanting to
obtain Mozilla's CA bundle in PEM format so I could explicitly point
some Python code at it. This led me to Google "mozilla ca bundle" so I
could find a copy.
Long story short, the internets is full of guides ([2][3][4][5][6] etc)
detailing how to obtain the bundle in PEM format. The common solution
seems to be:
a) download http://curl.haxx.se/ca/cacert.pem (over regular HTTP!)
or
b) Run
https://raw.githubusercontent.com/bagder/curl/master/lib/mk-ca-bundle.pl
to produce the PEM file that haxx.se distributes.
"b" is a somewhat gnarly-looking Perl script that downloads certdata.txt
[7] from http://hg.mozilla.org/ or http://mxr.mozilla.org/ (more
non-HTTPS URLS!) (hostname depends on which version / instruction you
are looking at), and somehow munges it into a PEM file.
Wat?
Is the best way to obtain a copy of Mozilla's trusted CA bundle in PEM
format (or any other popular format for that matter) really to download
it from a 3rd party or to execute a Perl script that downloads it over HTTP?
It feels silly to be exposing downstream consumers of this all-important
data to poor security hygiene (executing code written by others, 3rd
party trust, non-HTTPS downloads) and needless increases in attack
surface area (hg.mozilla.org and mxr.mozilla.org).
Is there a good reason Mozilla can't host copies of the trusted CA
bundle in popular formats so people can obtain a copy directly from
Mozilla? And while we're at it, can we add some PGP signatures for
additional verification?
[1] https://www.google.ca/search?q=mozilla+ca+bundle
[2] http://curl.haxx.se/docs/caextract.html
[3]
https://stackoverflow.com/questions/23032165/where-is-the-official-download-location-for-cacert-pem
[4] https://gist.github.com/jjb/996292
[5] http://notetoself.vrensk.com/2008/09/verified-https-in-ruby/
[6] http://www.petefreitag.com/item/830.cfm
[7]
https://hg.mozilla.org/releases/mozilla-release/raw-file/default/security/nss/lib/ckfw/builtins/certdata.txt
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
