disabling HSTS
disabling HSTS
Posted Apr 19, 2017 18:58 UTC (Wed) by tialaramex (subscriber, #21167)In reply to: disabling HSTS by linuxrocks123
Parent article: Tor exit node operator arrested in Russia (TorServers.net blog)
As with any other public CA, Let's Encrypt allows certificate problem reports, through which you could achieve revocation of a fraudulently issued certificate. However a certificate is not "fraudulently issued" just because you don't like who it was issued to or how they're using it, if Steve murders a woman in cold blood, then drives to the airport and boards a plane, neither his driving license nor his passport become "fraudulently issued" just because Steve is now a murderer. This is, by some irony, not so different from the muddled thinking that has the Russians persecuting a Tor node operator for the behaviour of Tor users.
But my main point wasn't this mundane lack of understanding, even though it ought to be enough for you not to want anything to do with somebody developing a web browser, we see the same failure to comprehend from all over. My point was that having decided this is untrustworthy Moonchild decided to do nothing whatsoever about it, so that the effect is exactly the same as if they hadn't made this silly declaration at all. You correctly diagnosed that the result is the certificates are trusted because they were cross-signed. But this isn't the end of the trail at all, stopping there tacitly accepts that these certificates and the CA are fine, but just you're going to make a song and dance.
As far as Pale Moon is concerned the Let's Encrypt CA is just a subCA for Identrust. Assuming that Pale Moon inherits most of the actual machinery of Mozilla's Firefox, this gives them three practical options to choose from. The most drastic is to demand IdenTrust fix this, or if they will not remove IdenTrust from their trust store for issuing subCA certificates to the untrustworthy Let's Encrypt. The next option is to add the cross-signed Let's Encrypt certs as explicitly distrusted in the Pale Moon package, this is how Firefox dealt with problems like DigiNotar early on. Finally the browser can be configured to restrict trust in some other way as a result of making a deal with Let's Encrypt, if they fix whatever troubles you, you'll trust certificates issued after some particular date.
In practice of course Let's Encrypt is ubiquitous at this point, so doing any of these things because of their misunderstanding about what it means for something to be "fraudulently issued" would be grossly disproportionate. But the situation today, in which they profess it is not "trustworthy" but in fact Pale Moon trusts it entirely is a joke.