On Fri, Nov 1, 2013 at 4:29 PM, <fhw...@gmail.com> wrote: > And...this is a great way for hackers, fraudsters, and the NSA (is there > a difference?) to attack users of Firefox. All I have to do is steal a > private key, grab the cert chain, and I can go about setting up a fake site > that will ensnare hapless surfers. It might not be a perfect attack but it > doesn't need to be in order to be "successful". >
Hi, I suggest that you go back and re-read my earlier messages in this thread. It isn't black-and-white. Basically, all this revocation checking stuff--OCSP and CRLs--are mostly giving people a false sense of security. I have found that, whenever I explain to people exactly how it works, and more importantly when and how it *doesn't* work, most people tend to agree that it is a waste of effort for us to be doing OCSP or CRL fetching at all. > I keep looking for someone at Mozilla to say this is a big deal and that > it can be fixed by a date certain. Instead all I've been able to gather is > that they will implement a better solution at some point and then...? > We are actively implementing better solutions now. We're working to make OCSP stapling work. We're actively working on Must-Staple functionality to make revocation checking clearly meaningful in terms of security. We're working (on this mailing list) with CAs to define when and how CAs notify us about security-critical revocations, to work around the serious deficiencies in how browsers (not just Firefox) have done revocation checking through OCSP and CRL fetching. If I may speak frankly, for once: The transition from revocation checking mechanisms that almost never do anything useful to revocation checking mechanisms that are reliable and effective is not going to be 100% smooth. We need to be willing to break some eggs and take some risks in order to get to a better, reasonable, place. We (Firefox, Chrome, and other browsers) are not in a reasonable place now. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
