Nobody wrote:
In their newsletter last night
(http://www.privsoft.com/archive/nws-who.html), PSC software (BOClean)
indicated that they believe that NSSCKBI.DLL contains some questionable
and demonstratively untrustworthy certificate authorities. Their
initial reaction was to include the file in their definitions and offer
to remove it. After complaints that this was a false positive and after
finding that removing the file broke Mozilla products, they removed
NSSCKBI.DLL from their definitions, reissued the update, and published
their newsletter explaining the course of events. They continue to
believe that the file (or rather some of the CAs in the file) is
untrustworthy but don't want to break FF.
Many of us rely heavily on FFs indication that a site is safe before we
enter personal or financial info. Please comment on whether you
consider PSCs concerns reasonable, and if so, whether an effort will be
make to remedy this problem.
F/Us set to mozilla.dev.security
Is this somebody's idea of a joke ?
This site makes a lot of unsubstantiated and bogus allegations .
I am only responding to show how little the author knows about Mozilla.
Quote :
"c:\builds\tinderbox\Fx-Mozilla1.8.0-Release\WINNT_5.2_Depend\mozilla\nss\nssckbi\nssckbi.pdb
**********************************************************/
The "root certificates" which this file places go into the Windows
registry in the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
and exists as "subkeys" of the above with GUID numbers to identify each
subkey."
This is a PDB file - a Microsoft Program Database file - in other word,
debug information. This file doesn't contain any code, and thus cannot
place any certs into the registry, by definition.
The writer probably meant to discuss nssckbi.dll, which is a PKCS#11
module containing the definitions of the root certs used in Mozilla.
This module also does not touch the Windows registry.
The discussion that follows is based on this incorrect statement.
Quote :
"no "viewer/editor" within Netscape/mozilla/Firefox is apparently
available for their contents"
The author must not have looked very hard. In Mozilla suite or
SeaMonkey, go to Edit/Preferences/Privacy & Security/Certificates/Manage
Certificates/Authorities. Click on "View" and "Edit" buttons.
All the certs from nssckbi.dll are from the "Built-in Object Token" and
viewable and editable.
Quote :
"Mozilla's NSSCKBI.DLL file contains a number of "secure sockets layer"
(SSL) certificates, including certificates from several unknown and
possibly dubious "certifying authorities." It is our opinion that there
are some questions raised by the presence of this module and in
particular its contents and its ability to modify the machines of users
of Netscape, Mozilla and Firefox. Therefore, we hope some external and
independent parties and other experts might examine this further,
independent of us, to determine whether there actually is a concern here.
...
We feel that this is a serious security risk since some of the
"certifying authorities" embedded in this file are known to be used by a
number of malware programs and because any download "signed" by any of
these questionable certifying authorities would be downloaded, installed
and run without warning because of the successfully "signed
certificate." This is the crux of the issue as we see it, but disabling
this file completely breaks Netscape/Mozilla/Firefox (as well as the
winsock stack) as was reported when we learned of the "false positive."
We had no choice but to immediately pull the "detection" as a result and
assist a number of users ill-affected in restoring the "status quo" who
had not received the update which resolved the problem."
How about substantiating this claim and stating which CAs are known to
be used by malware programs ? If true, this information would be of
great interest to the Mozilla foundation to remove such certificates.
Note that most CAs in nssckbi.dll have already gone through evaluations,
either by Netscape before the browser code was open sourced, or by
Webtrust subsequently.
Quote :
"The "issue" as we see it is that the end user is not presented with the
ability to accept or decline certificates by these unknown quantities,
and once a certificate is "stored" on the machine, then any certificate
granted by these authorities to others is now considered both "valid"
and "safe." Further, the option to VIEW the existing certificates is not
available to the user through Netscape/Mozilla/Firefox and is instead
hidden in the Windows registry in a difficult to view and modify means."
Mozilla does not in any way rely on the Windows registry for certificate
storage or trust. It uses the PKCS#11 interface. I'll refer you to my
earlier answer about how to view and editing certificates in Mozilla.
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
