On 7/4/12 10:34 AM, John Nagle wrote: > A CA called Cyberoam appears to have issued a wildcard cert to > enable MITM attacks for "deep packet inspection" [...] > > They're not a CA trusted by Mozilla, apparently.
They're not a CA. Businesses wishing to use the Cyberoam devices need to install the Cyberoam self-issued CA-cert on each computer on the network. Enterprises could either push the cert to everyone if they have that kind of tool, or require that workers "voluntarily" install it themselves (because otherwise you aren't able to reach the internet). If we implement cert pinning we'll either have to allow that kind of business to disable it, or write off our users who work for companies with that kind of control freakery. It's more common than you'd think, some of our own Mozilla community members work for companies with that kind of policy. -Dan Veditz _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
