RE: [FORGED] Re: [FORGED] Re: Nation State MITM CA's ?

On Tue, 12 Jan 2016, Peter Gutmann wrote: Or we ensure that firefox and chrome refuses to see those sites at all, because they refuse a downgrade attack. So users will switch to whatever browser doesn't block it, because given the choice between connecting to Facebook insecurely or not

Re: [FORGED] Re: [FORGED] Re: Nation State MITM CA's ?

It really isn't a good idea for Mozilla to try to mitigate the security concerns of people living in a police state. The cost of doing so is you will set precedents that others demand be respected. Yes providing crypto with a hole in it will be better than no crypto at all for the people who

Re: [FORGED] Re: [FORGED] Re: Nation State MITM CA's ?

The Mozilla Trusted Root program can and should police violations of the Mozilla Trusted Root program, and any other fraudulent *publicly trusted* certificates. That's non-controversial. Policing violations of more general social norms -- by choosing to actively distrust non-publicly-trusted

Re: [FORGED] Re: [FORGED] Re: Nation State MITM CA's ?

On Tue, Jan 12, 2016 at 11:46 AM, Jakob Bohm wrote: > On 12/01/2016 16:49, Phillip Hallam-Baker wrote: >> >> It really isn't a good idea for Mozilla to try to mitigate the >> security concerns of people living in a police state. The cost of >> doing so is you will set

RE: [FORGED] Re: [FORGED] Re: Nation State MITM CA's ?

Paul Wouters writes: >> If you disallow the cert and turn off encryption, Borat can still read >> everyone's traffic, but so can everyone else on the planet. > >Who said "turn off encryption"? If you don't allow the MITM cert, which is needed to enable encryption in the

Re: [FORGED] Re: Nation State MITM CA's ?

On Mon, 2016-01-11 at 19:45 +0100, Jakob Bohm wrote: > He is obviously referring to the fact that refusing to encrypt using > the MiTM certificate would force users to access their e-mails (etc.) > using unencrypted connections (plain HTTP, plain IMAP, plain POP3 > etc.), thus exposing themselves

Re: [FORGED] Re: Nation State MITM CA's ?

On Mon, Jan 11, 2016 at 1:45 PM, Jakob Bohm wrote: > On 09/01/2016 19:22, Kai Engert wrote: >> >> On Sat, 2016-01-09 at 14:11 +, Peter Gutmann wrote: >>> >>> That would have some pretty bad consequences. With the MITM CA cert >>> enabled, >>> Borat [0] can read every

Re: [FORGED] Re: Nation State MITM CA's ?

On 09/01/2016 19:22, Kai Engert wrote: On Sat, 2016-01-09 at 14:11 +, Peter Gutmann wrote: That would have some pretty bad consequences. With the MITM CA cert enabled, Borat [0] can read every Kazakh user's email, but no-one else can. With the MITM CA blacklisted, Borat can still read

RE: [FORGED] Re: Nation State MITM CA's ?

Kai Engert writes: >Independently of the request for inclusion, this group could discuss if the >Kazakhstan's CAs should be blacklisted, by adding them to the Mozilla CA list >using negative distrust flags That would have some pretty bad consequences. With the MITM CA cert

Re: [FORGED] Re: Nation State MITM CA's ?

On Sat, 2016-01-09 at 14:11 +, Peter Gutmann wrote: > That would have some pretty bad consequences.  With the MITM CA cert enabled, > Borat [0] can read every Kazakh user's email, but no-one else can.  With the > MITM CA blacklisted, Borat can still read every Kazakh user's email, but so > can