Re: A new false issued certificate by Comdo?
then why not create an internal build of Firefox, embed your own root into it, and issue certificates from that root to the boxes that need it? Oh yeah, because people use computers for more than one purpose. A home machine can be used to VPN into work. Wake up, Mozilla. Your policy is not useful to the users. On Thu, Nov 5, 2009 at 3:52 AM, Florian Weimer f...@deneb.enyo.de wrote: * Eddy Nigg: This item has been also taken to the CAB Forum and is discussed and hopefully included with the Basic SSL Guidelines which are in the making. Host-names and internal IP addresses provide *NO PROTECTION* whatsoever and is pure snake oil. CAs which issue such certificates deceive their customers and relying parties. Sorry, this is just not true. The suppression of the browser warning is a value for which people pay. Without the certificate, the browser warning would reduce end user confidence in the service, essentially reducing security as perceived by the end user. (The system doesn't do much else anyway, but at least this type of service is provided by CAs.) ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: A new false issued certificate by Comdo?
On 11/05/2009 07:33 PM, Ian G: Now you're getting it. It is not acceptable to simply achieve consensus and go out and burn witches coz we all like that. What's wrong with achieving consensus? Others fight for years to achieve that. Here's a suggestion from Satan. Add to clause 7: * certificates issued for internal usage must not be issued over domain names that use (insert proper langauge) TLDs registed by IANA. A separate subroot should be used for this, and the naming should be made so as to be obviously not confusing with any TLD. It's been in the problematic practices for quite some time, it's a candidate for the policy (or by proxy if it will be in the Basic SSL Guidelines). Your contributions would be perceived very differently if you would do as above. Simply say, that you think that we need to add to the policy... -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: A new false issued certificate by Comdo?
On 11/05/2009 08:20 PM, Florian Weimer: Okay, then Mozilla has got a significant problem because some CAs issue certificates for domains not delegated from the ICANN root. These CA roots should not be on Mozilla's root CA list. Correct. We are working on that by and through various means. -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: A new false issued certificate by Comdo?
In article 041120091844084030%justd...@mozilla.com, Dave Miller justd...@mozilla.com wrote: In article kbednvccenx9c2zxnz2dnuvz_g1i4...@mozilla.org, Eddy Nigg eddy_n...@startcom.org wrote: On 11/04/2009 11:13 PM, Dave Miller: Giganews says the original message got nailed as a binary post because of the included base64-encoded SSL certificate. Specially on these news groups this can happen from time to time. Is this something which can be fixed? Not unless we host it all ourselves (which has been discussed, and will probably happen someday, but not anytime soon probably. Actually, looks like it is getting fixed. I just got this from Giganews support: 8 I agree, it was a false positive. The SSL cert looked enough like mime-encoded data to trip the filter. I've asked our programmers to look into tightening the filter to prevent this in the future. 8 -- Dave Miller Systems Administrator, Mozilla Corporation ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: A new false issued certificate by Comdo?
On 11/06/2009 01:42 AM, Dave Miller: Actually, looks like it is getting fixed. I just got this from Giganews support: 8 I agree, it was a false positive. The SSL cert looked enough like mime-encoded data to trip the filter. I've asked our programmers to look into tightening the filter to prevent this in the future. 8 Excellent! Thanks a lot for your effort! -- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP:start...@startcom.org Blog:http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: A new false issued certificate by Comdo?
My apologies to a couple of people on this thread to whom I inadvertantly send private replies to. I will paraphrase my replies to those two individuals publicly: In short, 10.x.x.x or myserver or myserver.local (at least until such time ans IANA/ICANN sells .local to the highest bidder) are non- routable over the internet. If I, as an admin with 1000 users on 3000 different devices wish to obtain a CA sign cert to suppress browser errors for sites on my LAN for my users wish to pay a CA for that convenience rather than paying IANA/ICANN or one of there flunkies (who incidentally perform zero verification when I buy a domain), be prevented from doing so? Because of vulnerabilities in the DNS system, or possibly hi-jacking of a HOSTS file? It seems to me that DNS vulnerabilities and/or the ability of a malevolent party to alter a HOSTS file are the responsibility of those who code DNS servers and operating systems respectively. Not my responsibility, nor that of the CA. ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: Autoconfig ISP fetch security review
Gervase Markham wrote on 11/5/2009 2:00 AM: On 05/11/09 04:58, Bil Corry wrote: You may want to consider registering a /.well-known/ path for this, which it seems perfectly suited for: http://tools.ietf.org/html/draft-nottingham-site-meta That draft seems like a let's make the best of it way of dealing with an unfortunate inevitability :-|. For anyone who has suggestions or recommendations to improve it, it's being discussed on IETF apps-discuss: https://www.ietf.org/mailman/listinfo/apps-discuss - Bil ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security