lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F459704.8060705@own-hero.net>
Date: Thu, 23 Feb 2012 02:31:48 +0100
From: decoder <decoder@...-hero.net>
To: noloader@...il.com
Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: Trustwave and Mozilla (Resolved)

Hi,

some important points seem missing here. First of all, Mozilla sent a CA
communications that clarifies that issuing MitM certificates is not
acceptable by the policy (in fact, the policy was *not* clear about that
before, this case has never been there). Furthermore, all other CAs (and
according to Trustwave, quite a few CAs consider this "common
practice"), have been given a deadline by which all of these
certificates have to be disclosed (so they can be blocked) and revoked.
Any CA not following this faces removal from NSS, which seems a clear
statement to me.

How is that compatible to "violating the end user"? In fact, revoking
the Trustwave CA wouldn't have helped a lot to protect the end-user. It
wouldn't have been possible to call out to other CAs and get them to
stop their MitM business because every such CA disclosing their MitM
cert policy would have been removed as well (otherwise it would be
unfair, wouldn't it?).

It seems to me that the situation is by far not as easy as some people
try to put it. Oh and by the way: Have you heard of any other browser
vendor taking *any* steps against Trustwave?


Best,

Chris

On 02/23/2012 01:12 AM, Jeffrey Walton wrote:
> It appears to be official.
>
> Trustwave issued MitM certificates, which is deceptive, unethical, and
> contrary to its agreement for inclusion.
>
> Mozilla just rewarded their violations of trust by continuing their
> inclusion. Apparently, agreements between Mozilla and CAs have no
> veracity as both are more than happy to violate the end user.
>
> Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=724929
> NSS and Firefox Update: https://bugzilla.mozilla.org/show_bug.cgi?id=728617
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



Download attachment "smime.p7s" of type "application/pkcs7-signature" (4507 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ