lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f62b02a7a88d71e7a244b8d210cbc264.squirrel@cruziomail.cruzio.com>
Date: Mon, 22 Mar 2010 11:34:21 -0700 (PDT)
From: dveditz@...zio.com
To: "Francis Litterio" <flitterio@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Firefox 3.6 for Windows includes a forged CA cert

> a cert labeled "MD5 Collisions Inc (http://www.phreedom.org/md5)" [...]
> Yes, it's expired, so it poses no real threat, but why is the Mozilla
> Project shipping Firefox with that cert?  It just causes FUD.

This is an override for the forged cert, with all trust bits removed. That
way should the demo cert make it into the wild users will get a hard
failure rather than an overridable one. We worried that many users are
trained to accept "expired" certs as fairly normal and not notice it was
an expired intermediate rather than the end cert.

For more information please see
https://bugzilla.mozilla.org/show_bug.cgi?id=471715

-Dan Veditz

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ