On Sat, Oct 25, 2014 at 12:11:15PM -0700, John Nagle wrote: > The popup Firefox gives when the user clicks on the lock icon > expresses more confidence than the cert indicates. It says > that you are securely connected to [destination domain name]. > There's no mention of the fact that the cert says Cloudfront, Inc. > Firefox is creating false user confidence here.
How so? You *are* securely connected to [destination domain name], insofar as the X.509/TLS/Internet PKI systems can guarantee such a thing. That the system you are connecting to is a proxy to another (backend) system, and the connection to that backend system may be unsecured, isn't something that Firefox can determine, nor is it unique to either of Cloudflare *or* outrageous multi-SAN certificates. There are three issues at play here, and it's worth attacking each one of them individually, rather than trying to glob them all together in one monster, which will be much like attacking a hydra: * That OV certs are in a strange no-mans' land between DV and EV; * That TLS only provides confidentiality over a single link in the communications chain; * That multi-SAN certificates provide an additional attack vector (as per the "Virtual Host Confusion" paper). - Matt -- Some people are like slinkies. They don't actually serve any real purpose, but they still make you smile when you push them down the stairs. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy