Control: forwarded -1 https://bugzilla.mozilla.org/show_bug.cgi?id=994033
On 04/09/2014 08:07 AM, Klemens Baum wrote:
Following the OpenSSL CVE-2014-0160 "Heartbleed" vulnerability [1,2], any certificate that was used with an vulnerable version of OpenSSL (I read somewhere 1/3 of the web) should be handled as it is compromised. Compromised certificates have to be replaced with new ones (new keys) and the old ones should be revoked. StartCom provides cheap and even free SSL certificates via the StartSSL brand. However, certificates revoking cerificates requires a US$ 24.90 fee [3]. This discourages responsible sysadmin procedure and and will ensure many compromised certificates remain in use. As a consequence you can't trust certificates signed by StartCom before 2014-04-07. Solution 1: StartCom should revoke affected certs. (unlikely[4-6]) Solution 2: StartCom should be removed from the truststore.
If mozilla believes this is justification for removal, which I doubt will happen, then the same will happen in ca-certificates. Debian ca-certificates users may remove trust locally at any time, if they desire.
See also: https://bugzilla.mozilla.org/show_bug.cgi?id=994033
Marking this as the upstream bug report.
[1] https://www.openssl.org/news/secadv_20140407.txt [2] http://heartbleed.com/ [3] http://www.startssl.com/?app=25#72 [4] https://news.ycombinator.com/item?id=7557764
A user comment here says the CVE was cited, and StartSSL waived the revocation fee.
[5] https://twitter.com/startssl/status/453583493386485760 [6] https://twitter.com/startssl/status/453631038883758080
-- Kind regards, Michael -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
