Just a quick note that there was buzz around this year's RSA conference that some parties (snooping governments?) are actively using subordinate CA keys to MITM SSL/TLS transactions, including ActiveSync connections.
http://twitter.com/#!/WeldPond/status/37930269600124928 http://twitter.com/#!/alexstamos/status/38731764579045376 Apparently the ActiveSync MITM is very interesting because some platforms, including Android, don't support client certificate authentication for ActiveSync and therefore send reusable Windows domain username + password. Anyhow, another argument for giving users & enterprises more control over the collection of trusted roots. -Peter On Feb 23, 4:15 pm, Stephen Schultze <[email protected]> wrote: > On Feb 23, 2011, at 2:32 PM, Chris Palmer wrote: > > On Wed, Feb 23, 2011 at 10:12 AM, Brian Carlstrom <[email protected]> > > wrote: > >> Internally I have the CAs reviewed with our security operations > >> team. no, > >> its not a very public process like Mozilla, but being included by > >> Mozilla is > >> one positive factor in favor of inclusion in Android. If you look > >> at all the > >> CA requests (sorry there isn't an easy way I guess) you'll find > >> only a > >> couple have been rejected that I can recall, both of which were > >> also not > >> include by Mozilla, one because it was a goverment CA that wasn't > >> for public > >> sites and the other because they issued multiple CAs with the same > >> subject > >> name, something that neither Mozilla or Android support currently. > > > I must note that some of the CAs Mozilla trusts are quite dubious > > indeed. Even EV CAs mess up on basic stuff. > Yes, there are problems with the CA trust model in general, and I too > dispute some of Mozilla's decisions (and I participate in their > vetting process). We had Peter from EFF on a panel related to his SSL > Observatory work (as well as the larger issues) last year: > > http://citp.princeton.edu/events/emerging-threats-to-online-trust/ > > The fact that the Mozilla process is open is however a point in its > favor. Ultimately, users are the ones who have to "trust" the list > anyway, and inviting them into the process and keeping that process > transparent seems like a good feature. I would suggest the same thing > for Android. > > Giving users the ability to customize their own root CA lists in > addition is a further improvement, and probably necessary for anybody > to take Android seriously in the enterprise market (not to mention > giving retail customers more control over who they trust). Each user > has different trust tolerances, and trusts different entities > differently... but of course that's where all that angst on the bug is > coming from. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
