Message: 1 Date: Fri, 24 Oct 2014 17:35:30 -0500 From:
[email protected] To: [email protected] Subject:
Re: "Cert spam", or certs with huge numbers of hosts. Message-ID:
<[email protected]> Content-Type: text/plain;
charset="utf-8"
?The other way to have a MITM situation is if the CloudFlare network
becomes compromised. The amount of damage a hacker can inflict is
significantly greater now because of both the Universal SSL and
Keyless SSL offerings.
?To your issue, John, are you requesting a change to the Firefox UI
or is there another concern? I agree that it is probably necessary to
show the O field because of situations like this and others where "I
want you to trust me but I won't tell you who I am". Showing just the
domain name isn't enough. For the example you mentioned
(sevendays-dot-co) the whois lists a privacy service in Panama, so
who exactly are they?!?
The popup Firefox gives when the user clicks on the lock icon
expresses more confidence than the cert indicates. It says
that you are securely connected to [destination domain name].
There's no mention of the fact that the cert says Cloudfront, Inc.
Firefox is creating false user confidence here.
I'll have more to say about this in a week or so. I've obtained
all the SSL certs known (U. Michigan tried every IPv4 address and
the results are available; it's about 34GB), and I'm going to find
all the certs where there are unusual multi-domain situations.
John Nagle
SiteTruth
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
