I am not a Mozilla developer, nor have I ever been, but I am a user of what I
consider to still be the free Internet.
I have been in scenarios with silent MITM attacks, primarily corporate
environments as has been mentioned on this thread, and I would _greatly_
appreciate visual indication that
While this is a technical discussion, it's important to note that a decision
made here *will* have consequences on real people, which adds an essential
moral component.
Kazakhstan is a nation state known for its poor human rights record.
Journalists critical of the government have been
On Thursday, July 18, 2019 at 12:42:00 PM UTC-7, Matthew Hardeman wrote:
> Regarding indicators, I agree that it should be more apparent. Perhaps a
> dedicated bar that occupies an entire edge-to-edge horizontal area.
>
> I would propose that it might have two distinct messages, as well:
>
> 1.
Thoma Bravo will no longer be involved once the deal happens.
From: Ryan Sleevi
Sent: Thursday, July 18, 2019 3:30 PM
To: Jeremy Rowley
Cc: mozilla-dev-security-policy
Subject: Re: Change in control event at DigiCert
On Wed, Jul 17, 2019 at 8:09 PM Jeremy Rowley via
On Thu, Jul 18, 2019 at 11:40 AM Wayne Thayer via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Andrew Ayer filed two bugs yesterday that might be worthy of a bit
> of discussion. They both appear to be in reference to root certificates
> included in the Mozilla program
On Wed, Jul 17, 2019 at 8:09 PM Jeremy Rowley via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> Just FYI, there is an upcoming change in control event that will happen at
> DigiCert where TA and Clearlake will take equity ownership of the company.
> TA is currently a
On Thu, 18 Jul 2019 11:40:31 -0700
Wayne Thayer via dev-security-policy
wrote:
> Andrew Ayer filed two bugs yesterday [1] [2] that might be worthy of
> a bit of discussion.
There's a third bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1567062
Like the GoDaddy case, the intermediate
For the easiest one first: with respect to the GoDaddy disclosure [1 (your
#2)], I can't see either certificate being disclosed in the audit report.
That definitely sounds like a clear and obvious incorrect disclosure - but
perhaps I'm missing something?
With respect to the Sectigo disclosure [2
Regarding indicators, I agree that it should be more apparent. Perhaps a
dedicated bar that occupies an entire edge-to-edge horizontal area.
I would propose that it might have two distinct messages, as well:
1. A message that an explicitly known MiTM certificate exists in the
certificate chain
I agree a persistent indicator is a good idea. From what I understand Firefox
does already have an indicator hidden in the site information box that appears
when you click the lock icon in the address bar (
https://bugzilla.mozilla.org/show_bug.cgi?id=1549605 ). This should be more
visible in
If the government of Kazakhstan requires interception of TLS as a condition
of access, the real question being asked is whether or not Mozilla products
will tolerate being used in these circumstances.
Your options are to block the certificate, in which case Mozilla products
simply become unusable
On Thu, Jul 18, 2019 at 10:00 AM Ryan Sleevi wrote:
>
> On Thu, Jul 18, 2019 at 12:50 PM Wayne Thayer via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> Finally, I'll point out that Firefox implements public key pinning via a
>> preloaded list of sites, so the
For everyone's reference, here is a link to the old thread:
https://groups.google.com/d/msg/mozilla.dev.security.policy/wnuKAhACo3E/ujxPTWTlCQAJ
To be clear, the Kazakhstan government CA's root inclusion request
referenced in that thread was denied:
Sorry for bumping this old thread, but the Government of Kazakhstan has already
started to use the certificate for MITM. Some information in news (on Russian):
https://tengrinews.kz/internet/spetsialnyiy-sertifikat-poprosili-ustanovit-smartfonyi-374216/
14 matches
Mail list logo