Re: [Full-disclosure] Trustwave and Mozilla (Resolved)

From: Jeffrey Walton <noloader@xxxxxxxxx>
Date: Wed, 22 Feb 2012 21:03:05 -0500

On Wed, Feb 22, 2012 at 8:31 PM, decoder <decoder@xxxxxxxxxxxx> wrote:

Hi,

some important points seem missing here. First of all, Mozilla sent a CA
communications that clarifies that issuing MitM certificates is not
acceptable by the policy (in fact, the policy was *not* clear about that
before, this case has never been there).

Ass Eddy Nigg pointed out
(https://bugzilla.mozilla.org/show_bug.cgi?id=724929#c13), it was a
clear violation:

Basically this is not your problem if you don't dictate how this
should be done. The Mozilla Policy at
http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html
requires:

for a certificate to be used for SSL-enabled servers, the CA
takes reasonable measures to verify that the entity submitting
the certificate signing request has registered the domain(s)
referenced in the certificate or has been authorized by the domain
registrant to act on the registrant's behalf;

Failing to ensure the above would be a violation by that CA.

Furthermore, all other CAs (and
according to Trustwave, quite a few CAs consider this "common
practice"), have been given a deadline by which all of these
certificates have to be disclosed (so they can be blocked) and revoked.
Any CA not following this faces removal from NSS, which seems a clear
statement to me.

Hmmm.... I'm not sure how allowing a confession with no retirbution is
good for users or even ethical CAs. I think its sets a terrible
precedent. Users can expect to be violated again because Mozilla
implicitly condoned the actions by not penalizing the guilty. Ethical
CAs a further victimized because they cannot usurp customers from CAs
which were removed.

How is that compatible to "violating the end user"? In fact, revoking
the Trustwave CA wouldn't have helped a lot to protect the end-user. It
wouldn't have been possible to call out to other CAs and get them to
stop their MitM business because every such CA disclosing their MitM
cert policy would have been removed as well (otherwise it would be
unfair, wouldn't it?).

Gothcha. The mob defense invoked by CAs.

It seems to me that the situation is by far not as easy as some people
try to put it. Oh and by the way: Have you heard of any other browser
vendor taking *any* steps against Trustwave?

Gotcha. The mob defense invoked by Mozilla. (I know, that's not
Mozilla's position).

For what its worth, if if Microsoft does not act it is the company's
choice since I reported via email to their security email addresses
(there was nothing relevant on Microsoft Connect).

Out of curiosity: what do you think is going to happen when one of
these CAs cooperates with law enforcement (rather than a court order)
and gets caught doing it in the future? They now know they can act
with impunity since Mozilla's sactions are laughable.

Jeff

On 02/23/2012 01:12 AM, Jeffrey Walton wrote:

It appears to be official.

Trustwave issued MitM certificates, which is deceptive, unethical, and
contrary to its agreement for inclusion.

Mozilla just rewarded their violations of trust by continuing their
inclusion. Apparently, agreements between Mozilla and CAs have no
veracity as both are more than happy to violate the end user.

Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=724929
NSS and Firefox Update: https://bugzilla.mozilla.org/show_bug.cgi?id=728617

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Trustwave and Mozilla (Resolved)
  - From: Jeffrey Walton
- Re: [Full-disclosure] Trustwave and Mozilla (Resolved)
  - From: decoder

Prev by Date: Re: [Full-disclosure] Trustwave and Mozilla (Resolved)
Next by Date: Re: [Full-disclosure] Patator - new multi-purpose brute-forcing tool
Previous by thread: Re: [Full-disclosure] Trustwave and Mozilla (Resolved)
Next by thread: Re: [Full-disclosure] Trustwave and Mozilla (Resolved)
Index(es):
- Date
- Thread

Relevant Pages

Re: Policy CAs:
... You have been focusing on the technical side, and are omitting the policy side. ... Policy is enforced by written policy and people following these policies. ... clear on is HOW it describes these policies and how it forces other CAs below ... A policy CA issues certificates only to ...
(microsoft.public.security)
Policy CAs:
... I am still not completely sure as to the functions of a Policy CA. ... clear on is HOW it describes these policies and how it forces other CAs below ... A policy CA issues certificates only to ...
(microsoft.public.security)
Re: autoenrolment/certificate questions
... If we now create our own version 2 template "workstation ... Supersedeing is the recomended way of doing this, the old certificates will ... CAs is to just configure them to issue the same templates and have the same ... > are appearing in the local cert store of all the clients. ...
(microsoft.public.windows.server.security)
Re: E-Mail-Versand =?iso-8859-15?Q?=FCber?= offenes WLAN
... Da die meisten vorinstallierten CAs per se nicht vertrauenswuerdig ... Es geht nicht einmal um kompromitierte CAs (von denen selbst Mozilla ... Telekommunikationsunternehmen verschiedener Laender. ... bezueglich Zugriffs staatlicher Gewalt auf ...
(de.comp.security.misc)
Re: anti-malware progs ineffective
... >Mozilla is a very well done browser, that can be configured to block ... >consider checking out Mozilla. ... I always accept known certificates only temporarily. ... numbering to work halfway reliably. ...
(sci.electronics.design)