Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 23, 2013
An "enum" for Python 3
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
If I understand correctly the comments there (in particular https://bugzilla.mozilla.org/show_bug.cgi?id=682956#c10), it is more than just removing: it is blacklisting _by name_.
We probably will know how bad it was only after the true bug report is opened up.
Fraudulent *.google.com certificate issued
Posted Aug 30, 2011 3:27 UTC (Tue) by josh (subscriber, #17465)
Posted Aug 30, 2011 4:04 UTC (Tue) by dlang (✭ supporter ✭, #313)
blocking by fingerprint blocks one particular CA cert, blocking by name blocks every CA cert with that name, effectively passing a death sentence on that CA (at least under that name, and if the same people submit a new CA to be accepted by the browsers, it's unlikely to be accepted)
Posted Aug 30, 2011 22:36 UTC (Tue) by martinfick (subscriber, #4455)
How would that work?
Posted Aug 30, 2011 22:43 UTC (Tue) by dlang (✭ supporter ✭, #313)
Posted Aug 30, 2011 22:51 UTC (Tue) by martinfick (subscriber, #4455)
Posted Aug 31, 2011 15:43 UTC (Wed) by raven667 (subscriber, #5198)
Posted Aug 31, 2011 15:56 UTC (Wed) by martinfick (subscriber, #4455)
Posted Aug 31, 2011 16:37 UTC (Wed) by raven667 (subscriber, #5198)
Building up the paper trail that a CA needs to be accepted by the browsers does require effort and time but you are right in that I have not worked close enough to the CA/browser relationship to know exactly what is required to register with MS, Mozilla, Apple, Opera, Oracle, Google, RIM, and other vendors.
Posted Sep 1, 2011 7:56 UTC (Thu) by Comet (subscriber, #11646)
Things like Linkage Analysis, where they figure out which companies own which other companies, and trace down who actually owns a company.
It's human legwork to maintain their databases. Thus they get to charge money for queries against them.
So, I certainly hope that the major CAs are doing at least a paid check with one of the merchant houses before issueing EV certs, and anyone bundling together a group of CAs for others to trust should either be saying "don't trust us, this is just what we find convenient" (amateur, but sometimes appropriate) or should be doing the same due diligence.
Posted Sep 1, 2011 18:20 UTC (Thu) by raven667 (subscriber, #5198)
In this case though attackers are believed to have compromised the infrastructure and had enough access that they could issue whatever they liked without going through the audit and security controls. The technical measures which could prevent this are difficult, cumbersome, expensive and not foolproof. At some point you have to be able to accept a CSR from a customer and expose it to the HSA and receive a result. If you can get anywhere in that path you can send your own CSRs and have whatever you want signed.
Posted Aug 30, 2011 6:46 UTC (Tue) by imphil (guest, #62487)
current patches to Mozilla products will blacklist all DigiNotar-issued
certificates based on "CN=DigiNotar " in the certificate issuer. Users
will be able to add a certificate override for DigiNotar-issued
certificates that have a notBefore date prior to July 1, 2011. Users
will not be able to add a certificate override for any DigiNotar-issued
certificates with a notBefore date after July 1, 2011, which would
include the *.google.com certificate. "
Posted Aug 30, 2011 10:13 UTC (Tue) by cesarb (subscriber, #6266)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds