On 24/03/15 08:33 PM, Ryan Sleevi wrote: > On Tue, March 24, 2015 4:44 pm, Daniel Micay wrote: >> They're willing to set the security standards *really low* because all >> that matters is market share. I can't really understand how they ended >> up in the position of having the dominant trust store used by FOSS >> projects. Debian and other projects should move away from simply >> shipping Mozilla's trust store as-is ASAP. > > To be fair, Debian and other projects have even lower security standards. > > That is, they still mark CACert as secure for SSL in "stable" (how is that > not a security update relevant, even if fixed in Untable?!), haven't > updated the ca-certificates package to remove any of the CAs that Mozilla > removed for lack of current audits or modern crypto, and still include *as > trusted for SSL* all the certificates that can't even match Mozilla's > requirements for SSL (usually because of a lack of audits).
Sure, Debian's frozen release model doesn't support security. They'll only really backport stuff with CVEs assigned and even then it's not a sure thing. I was just complaining on oss-security about the link on their main page (which is https, but no HSTS/HPKP) using plain http for the ISO links with no indication that it's insecure, and no link/instructions to validate via signature. Other distributions use the newer versions of their ca-certificates package, so what they do there matters whether or not their release model is sane. > The two most important things for managing a root store: > - Keep it updated > - Keep on top of the audits > > For what you decry about the Mozilla process, it's community driven and > excels at those two things, which is exactly how it became the dominant > trust store. It's not community driven. They openly accept community contributions. The development is open, but no more open than Chromium's. It's not a closed door mess like Android, sure. If you contribute to Mozilla projects with the expectation that you'll be treated as an equal or even close to that, you are going to end up very disappointed like myself. Mozilla has a history of ignoring community and just digs deeper and deeper into a hole. The responses from paid employees tend to stick to bullshit talking points or there's no explanation at all. I often see Chromium make awful choices and then reverse them when users turns out to be overwhelming against it, but not Firefox. Mozilla is certainly a lot better at duping people into volunteering to the project than Google, I'll give you that. Their marketing is great and they always stay on message promoting themselves as something they are really not.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
