lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 13 Feb 2012 16:18:56 +0000
From: Nick Boyce <nick.boyce@...il.com>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Cc: FunSec List <funsec@...uxbox.org>
Subject: Re: Trustwave and Mozilla

On Sun, Feb 12, 2012 at 10:54 AM, Jeffrey Walton <noloader@...il.com> wrote:

https://www.infoworld.com/d/security/trustwave-admits-issuing-man-in-the-middle-digital-certificate-185972
>
> In case folks are interested in the following Mozilla's response to
> active MitM attacks that were facilitated by Trustwave, the bug report
> is here: http://bugzilla.mozilla.org/show_bug.cgi?id=724929.
>

Can anyone confirm that Trustwave CA certificates in the local Mozilla
certificate store are the ones with names containing the word "SecureTrust"
?

I want to disable Trustwave CAs on all my local systems, but am not certain
which are the relevant ones.  For some benighted reason, the word
"Trustwave" is not present in any of the certificate names in the FF
certificate store on WinXP or Debian (Iceweasel).  Ironically of course,
the word "trust" appears everywhere :)

I found a page at mozilla.org which appears to show all CAs included with
FF, and that Trustwave certificates are labelled "SecureTrust" :
http://www.mozilla.org/projects/security/certs/included/
but I would like confirmation from Someone Who Knows Better.

Be advised: the above page appears to be some kind of .. [recoils in
horror] .. XML which doesn't render properly on WinXP, but renders fine on
Debian Linux.  Maybe there's some XSL needed somewhere.

Cheers
Nick
-- 
XML is like violence. If it doesn't solve the problem, use more.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ