Weekly Edition
Return to the Development page
| ||||||||||||||||||||||
|
| ||||||||||||||||||||||
Firefox 3.5.2 and 3.0.13 fix SSL security problems
(follow up to mozilla.dev.planning / dev-planning@lists.mozilla.org) As part of Mozilla's ongoing stability and security update process, Firefox 3.5.2 and Firefox 3.0.13 are now available for Windows, Mac, and Linux as free downloads: * Firefox 3.5.2 is available at http://firefox.com/ * Firefox 3.0.13 is available at http://www.mozilla.com/firefox/all-older.html We strongly recommend that all Firefox users upgrade to this latest release. If you already have Firefox 3.5 or Firefox 3, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting "Check for Updates..." from the Help menu. For a list of changes and more information, please review the Firefox 3.5.2 Release Notes and the Firefox 3.0.13 Release Notes: * http://www.mozilla.com/firefox/3.5.2/releasenotes/ * http://www.mozilla.com/firefox/3.0.13/releasenotes/ Note: All Firefox 3.0.x users are encouraged to upgrade to Firefox 3.5.x by downloading it from http://firefox.com/. _______________________________________________ announce mailing list announce@lists.mozilla.org https://lists.mozilla.org/listinfo/announce (Log in to post comments)
Firefox 3.5.2 and 3.0.13 fix SSL security problems Posted Aug 4, 2009 8:42 UTC (Tue) by intgr (subscriber, #39733) [Link] The real bug is with certificate authorities that fail to do proper input validation on the common name field. Come on, this is a completely essential to defensive programming, something you would expect from every web site, especially security sensitive sites like certificate authorities.
Firefox 3.5.2 and 3.0.13 fix SSL security problems Posted Aug 4, 2009 9:51 UTC (Tue) by epa (subscriber, #39769) [Link]
The customers of the CA have no idea what code the CA is using, and they don't really care. (I just want my site to work without giving error messages; I don't care if the CA is doing stupid stuff, as long as they issue my certificate in the end.)
Unless CAs are kicked off from the trusted list in browsers for incompetence like this, they have little incentive to sort it out.
Firefox 3.5.2 and 3.0.13 fix SSL security problems Posted Aug 4, 2009 11:53 UTC (Tue) by tialaramex (subscriber, #21167) [Link]
I agree that the browser vendor (or in cases where the OS includes a CA list, the OS vendor) is the right place to do this.
But I disagree that it'll give an incentive to "sort it out". The com gTLD is extremely poorly managed, and so e.g. Firefox doesn't show IDNs in com because they're routinely abused there. There's no sign that policies at the com registry have changed or will change in light of blacklisting.
Verisign's commercial incentive is the same as a criminal lawyer's. Don't ask too many questions, don't look too carefully at what you're shown, don't worry where the money comes from. Finding out that your customer is a bad guy is hassle you don't need. So just make sure you don't find out. They take the money from the customer, give them a domain, a certificate or whatever else they want. The fact that there's a _user_ who expected some value out of Verisign's role in this transaction is irrelevant because the users don't pay Verisign a dime.
Firefox 3.5.2 and 3.0.13 fix SSL security problems Posted Aug 4, 2009 16:06 UTC (Tue) by ewan (subscriber, #5533) [Link]
The incentive for the CA to sort themselves out doesn't come directly from the browser vendor, or the end users, it comes from the CA's (potential) customers. If I'm shopping for an SSL cert I don't want just any SSL cert (otherwise I'd make my own), I want an SSL cert that browsers will accept by default. If the common browsers don't trust a particular CA by default there's no point me buying a cert from that CA, so the CA's business falls off until they sort themselves out to the browser vendors' satisfaction.
Firefox 3.5.2 and 3.0.13 fix SSL security problems Posted Aug 4, 2009 20:39 UTC (Tue) by qubes (subscriber, #2562) [Link]
I think you are missing the point. If Firefox dropped a major CA because of lapses like this, users would blame Firefox for banking websites that now show up as untrusted.
We now have an anonymous ip<-->dns space and the CA's that are bundled with the major OS's have a financial incentive to not care who gets a trusted certificate.
Firefox 3.5.2 and 3.0.13 fix SSL security problems Posted Aug 4, 2009 23:00 UTC (Tue) by job (subscriber, #670) [Link]
I'm afraid you are completely correct in your assumption. That's why the CA model is and has always been broken (that, and users having to accept self signed certificates). The only thing that would give expected results, technically as well as politically, is to bundle certs with domain names. I believe DNSSEC may be that solution. DNS may not be optimized for it but it's here and it works.
Firefox 3.5.2 and 3.0.13 fix SSL security problems Posted Aug 5, 2009 19:16 UTC (Wed) by vonbrand (subscriber, #4458) [Link] If my CA does it right, the tools are around to create my own, doctored certificates. You just can't trust anything you get over the 'net, period.
Firefox 3.5.2 and 3.0.13 fix SSL security problems Posted Aug 5, 2009 21:24 UTC (Wed) by intgr (subscriber, #39733) [Link]
What good is the attack if you can't get the certificate signed by any of the trusted authorities?
It has always been possible to create self-signed certificates for arbitrary domain names; having a \0 in it doesn't change anything.
|
|
|||||||||||||||||||||