And...this is a great way for hackers, fraudsters, and the NSA (is there a difference?) to attack users of Firefox. All I have to do is steal a private key, grab the cert chain, and I can go about setting up a fake site that will ensnare hapless surfers. It might not be a perfect attack but it doesn't need to be in order to be "successful". I keep looking for someone at Mozilla to say this is a big deal and that it can be fixed by a date certain. Instead all I've been able to gather is that they will implement a better solution at some point and then...?
On 11/02/2013 01:00 AM, From fhw...@gmail.com:
> Or to put it another way, everyone could stop issuing CRLs immediately > and have no appreciable impact on Internet security. I think that > would surprise many people. Obviously it would have an impact on other browsers and systems. But true, it wouldn't affect Firefox and friends (this time in the negative way). It's however nothing new, it would be news to me that it checks any CRL at all. -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy |
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy