I've recently published a proposal for Site Security Policy, a
framework for allowing sites to describe how content in their pages
should behave (thanks, Gerv):
http://people.mozilla.com/~bsterne/site-security-policy
I'm creating a placeholder for any discussion that comes out of that
Hi Gerv,
[Off-topic] For one I must notice the incredible inconvenience in
working with Bugzilla and this mailing list. It happens many times that
the same issue is discussed and tracked at different bugs in parallel.
I'm a CC bug 434128 and just got aware of bug 435082. Can you tell me
the
Eddy Nigg (StartCom Ltd.) wrote:
This is a known shortcoming of FF2 and inherits higher risks then weak
keys. That's because if a certificate is revoked because of a weak key
it was most likely requested by the subscriber himself and he wouldn't
continue use of the weak key anyway.
But the
Eddy Nigg (StartCom Ltd.) wrote:
[Off-topic] For one I must notice the incredible inconvenience in
working with Bugzilla and this mailing list. It happens many times that
the same issue is discussed and tracked at different bugs in parallel.
I'm a CC bug 434128 and just got aware of bug
Boris Zbarsky:
But the MITM attacker could use it to impersonate the site, which is the whole
point.
Yes, in case the attacker managed to get a copy of the previously used
and signed key. Not, in case the subscriber managed to change his cert
before.
- Modify NSS/Firefox to detect
Eddy Nigg (StartCom Ltd.) wrote:
Yes, in case the attacker managed to get a copy of the previously used
and signed key. Not, in case the subscriber managed to change his cert
before.
Could maybe try to brute-force the old key until they come up with a forged
certificate that an SSL library