Is Mozilla going to hold itself accountable to whatever absurd maximalist requirements come from the game of 'beat up the third party because we have power here'?
Browsers have bugs. The result of a coding error that permits a script injection or buffer run attack is at least as serious as any error or omission by any CA. In my experience, those are found with much higher frequency than CA errors or omissions. The issue with DigiNotar was not that they were breached, it was that they lied about it. The breach itself was a lot more serious because of the way they had configured their internal systems but even that might have been fixable if they hadn't lied about the breach. I haven't worked for a CA for several years now. I do Threshold Key Infrastructure these days. On Tue, Aug 23, 2022 at 10:46 AM 'LB' via [email protected] < [email protected]> wrote: > It does not feel right, I agree Mr Hurst. > > More information from the attack is coming to light, and it is concerning. > > To Mozilla: when the full extent of the leak comes out, with the data (and > it will) - what will be your threshold for action? Are you expecting > '-----begin rsa private key-----' or something less? > > Risk is posed to all users of Mozilla products (and also Microsoft and > Apple and Google who i am sure are having similar thoughts). > > At very least Entrust should stop issuing certificates - they should have > before. > why do we trust Entrust here? > > What will Mozilla do if it comes to light there was a real compromise and > huge risk and Mozilla knew privately but did nothing? Is risk to internet > users of no concern? > > Sent with Proton Mail <https://proton.me/> secure email. > > ------- Original Message ------- > On Monday, August 22nd, 2022 at 16:47, Ryan Hurst <[email protected]> > wrote: > > While that is positive news I will point out that in past incidenta > compromise of non-issuance related infrastructure enabled attackers to > achieve lateral movement which in turn led to deeper compromises, in some > cases such as DigiNotar, this led to miss-issuance. > > I think if nothing else this begs the question what kind of notification > requirements to the community should exist for such situations. > > It just doesn't feel right that this incident is public and the only > details relating to its impact on the WebPKI is discovered by the community > in this fashion. > > Ryan Hurst > (Personal Capacity) > > On Mon, Aug 22, 2022 at 8:28 AM Ben Wilson <[email protected]> wrote: > >> Actually, Entrust reached out about a month ago with this message to me: >> >> *On June 18, 2022, we determined that an unauthorized party accessed >> certain of our systems used for internal operations – functions such as HR, >> finance, and marketing. We promptly began an investigation with the >> assistance of a leading third-party cybersecurity firm and have informed >> law enforcement. * >> >> *While our investigation is ongoing, we have found no indication to date >> that the issue has affected the operation or security of our products and >> services, which are run in separate environments from our internal systems >> and are fully operational. Regarding our Public Certification Authority - >> all roots are offline and require multiple security cleared people be >> physically present in a secure room to access.* >> >> *We take seriously our responsibility to protect our systems and have >> been engaged with our customers on the issue. * >> >> As stated, there was no impact to our roots as the roots are offline and >> can only be accessed if two people are physically present in a secure room. >> Also, our PKI system is on a separated infrastructure, so was not accessed. >> >> Since there has been no impact to our PKI and certificate issuance >> systems, which use roots distributed by your application, we did not raise >> an incident. >> >> Ben >> >> On Mon, Aug 22, 2022 at 9:26 AM 'LB' via [email protected] >> <[email protected]> wrote: >> >>> Given news that Entrust were subject to a ransomware attack, which until >>> now they have not confirmed or given any details on in public - what point >>> do we need to assume the CAs and CA operations are compromized? >>> >>> Should action be taken by Mozilla to eliminate risk and remove trust in >>> root authority? >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/zEcsmYjEJdXUd-H8gWEsBaGnIx44oLKyjOHxvd7edfkpHSc58eRxXoWH7sfZot5hWqBNaPe-7topJps-0YQQedb1UvuUwvBe4T43dNoSALE%3D%40proton.me >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/zEcsmYjEJdXUd-H8gWEsBaGnIx44oLKyjOHxvd7edfkpHSc58eRxXoWH7sfZot5hWqBNaPe-7topJps-0YQQedb1UvuUwvBe4T43dNoSALE%3D%40proton.me?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZmE5vqWKiyXwWHbz-AV5piXM0oshc%3DoVrAAw3MVh_NHw%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZmE5vqWKiyXwWHbz-AV5piXM0oshc%3DoVrAAw3MVh_NHw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3NWDj3HP1779rDQl1tUjIFERNRMjAUZgoVR6msxTHPIqa9hUCmM6W6HbRkJLUq1gNBHC4wuKEzmPNKoSf33gsJmQ7OmopvwgDz97dlMsdbU%3D%40proton.me > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3NWDj3HP1779rDQl1tUjIFERNRMjAUZgoVR6msxTHPIqa9hUCmM6W6HbRkJLUq1gNBHC4wuKEzmPNKoSf33gsJmQ7OmopvwgDz97dlMsdbU%3D%40proton.me?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMm%2BLwg6cvDrck2dK-6wxXxEj_sRBpUeA8q16dbWjpJRURA-UA%40mail.gmail.com.
