Bug#927879: ca-certificates should not hardcode QuoVadis certificate authorities in /etc/ca-certificates.conf
On Thu, 25 Apr 2019 18:38:04 +0200 Kurt Roeckx wrote: > So far "normal use", we install the list as provided > by Mozilla as the default. > > > Kurt Lol... im guessing Debian security should have spotted this issue before me. I am sorry but it is not very careful to trust and import any third-party certificate authorities not needed for standard TLS 1.2 security into the Debian package system by default.. Also i dont trust Mozilla corporation (and their third-party partners, including Dark Matter and the UAE i guess) anymore because firefox has become a disgrace for the free software movement i still believe in. :o) Regards, tk -- tkad...@yandex.com | Twitter: @wise_project https://www.isotoperesearch.ca/ Not everyone who wander are lost.
Bug#927879: ca-certificates should not hardcode QuoVadis certificate authorities in /etc/ca-certificates.conf
On Wed, Apr 24, 2019 at 06:22:04PM -0400, Soppy bear wrote: > omg... i cant believe u just closed that ticket... :u > > pls let me explain. > > 1. This is a Debian problem because the end user should be able to use TLS > without having > to import/use certificates without any practical use for normal operations. I'm not sure what you mean with the "without any practical use for normal operations". There is no way to use TLS without having a list of trusted certificates. Without that list, you should not be able to make a single secure connection, or the software is broken. So far "normal use", we install the list as provided by Mozilla as the default. Kurt
Bug#927879: ca-certificates should not hardcode QuoVadis certificate authorities in /etc/ca-certificates.conf
On 4/24/19 5:22 PM, Soppy bear wrote: 1. This is a Debian problem because the end user should be able to use TLS without having to import/use certificates without any practical use for normal operations. Users *can* configure the ca-certificate package and set CA trust for each and every CA, as well as configure new-CA trust however they wish. Users can preseed debconf at installation time to trust no CAs, if they so desire. I'm not going to get into the details of preseeding installations, but runtime configuration is done with: dpkg-reconfigure ca-certificates Please, describe the problem better, if there is a concrete bug. The description here and previously make little sense to me, other than a personal preference and misunderstanding of how to configure CA trust. If there is a CA in the current Mozilla bundle that is problematic for you and the Internet, please contact Mozilla with this information, if there is evidence of evil doings, Mozilla is the correct project to inform. If you don't trust a particular CA that is in the current Mozilla bundle, disable it. You can automate this, if you maintain a large number of systems. 2. I have removed Firefox from my systems permanently because of this reason and upgraded my research laptop to debian unstable for this specific reason. OK. What does this have to do with the ca-certificates package? -- Kind regards, Michael
Bug#927879: ca-certificates should not hardcode QuoVadis certificate authorities in /etc/ca-certificates.conf
omg... i cant believe u just closed that ticket... :u pls let me explain. 1. This is a Debian problem because the end user should be able to use TLS without having to import/use certificates without any practical use for normal operations. 2. I have removed Firefox from my systems permanently because of this reason and upgraded my research laptop to debian unstable for this specific reason. Thank you. tk == tkad...@yandex.com | Twitter: @wise_project https://www.isotoperesearch.ca/ Not everyone who wander are lost. On Wed, 24 Apr 2019 13:45:42 -0500 Michael Shuler wrote: > Control: tags -1 + wontfix > > Won't fix and done, only because there is no bug to fix. Please, read > on. (For further discussion on this specific topic, I highly recommend > reading and/or posting to Mozilla dev-security-policy[0], not the Debian > BTS. The Mozilla project would be the correct place to, for instance, > submit concrete evidence on the topic, not the BTS.) > > On 4/24/19 9:47 AM, Soppy bear wrote: > > 1. The configuration file /etc/ca-certificates.conf is hard coding > > potentially > > insecure mozilla/QuoVadis certificate authorities into the base system. This > > change might unintentionally affect TLS security in future releases of > > Debian > > and is not necessary or recommended. > > > > 2. We also need to make sure debconf will no trust and import new > > certificate authorities by default when doing package upgrades or there > > should be way for the user to remove any unwanted ca entries. > > /etc/ca-certificates.conf is a user-controlled configuration file. It is > not hardcoded. The ca-certificates configuration can be updated by users > at any time. For instance, (1.) users may wish to disable particular > CAs, or (2.) users may configure all updates to ask for approval or deny > all updates. > >dpkg-reconfigure ca-certificates > > > 1. https://isotopesoftware.ca/wiki/DarkMatter > > 2. https://twitter.com/wise_project/status/1102931776954089474 > > 3. https://twitter.com/wise_project/status/1120920928915947520 > > I'm well aware of this topic. I appreciate the random twitter links, but > this topic is already under extensive discussion on the Mozilla > dev-security-policy mailing list[0], which I read closely. No decisions > have been made as of yet by the Mozilla project on this topic. I will > not make arbitrary decisions defaulting something for users that users > may make on their own, based on their own opinions, if they are > different than the experts in the field. > > Please, by all means, disable their CA, if you don't trust it - that is > why you have the ability to do so. > > I get it, I really do, it is an interesting story, but the story is > still playing out. Is it politics? Is the true? I've read the news > stories. The CA trust story is still being discussed and evidence is > still being gathered, but I do not have the definitive answer for all > users. The Mozilla project is *the* definitive source for this area of > technology, and a lot of people are watching, myself included. If > Mozilla decides to pull the CA, it will get pulled from ca-certificates. > > Do what you feel is right for you on your systems. The configuration > options are there for you to customize as you see fit. > > [0] https://groups.google.com/forum/#!forum/mozilla.dev.security.policy > > -- > Kind regards, > Michael
Bug#927879: ca-certificates should not hardcode QuoVadis certificate authorities in /etc/ca-certificates.conf
Package: ca-certificates Version: 20190110 Severity: normal 1. The configuration file /etc/ca-certificates.conf is hard coding potentially insecure mozilla/QuoVadis certificate authorities into the base system. This change might unintentionally affect TLS security in future releases of Debian and is not necessary or recommended. 2. We also need to make sure debconf will no trust and import new certificate authorities by default when doing package upgrades or there should be way for the user to remove any unwanted ca entries. References: 1. https://isotopesoftware.ca/wiki/DarkMatter 2. https://twitter.com/wise_project/status/1102931776954089474 3. https://twitter.com/wise_project/status/1120920928915947520 -- System Information: Debian Release: buster/sid APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 4.19.0-2-686-pae (SMP w/2 CPU cores) Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8), LANGUAGE=en_CA:en (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ca-certificates depends on: ii debconf [debconf-2.0] 1.5.71 ii openssl1.1.1b-2 ca-certificates recommends no packages. ca-certificates suggests no packages. -- debconf information excluded