Bugtraq mailing list archives
Re: Firefox 3.6 for Windows includes a forged CA cert
From: dveditz () cruzio com
Date: Mon, 22 Mar 2010 11:34:21 -0700 (PDT)
a cert labeled "MD5 Collisions Inc (http://www.phreedom.org/md5)" [...] Yes, it's expired, so it poses no real threat, but why is the Mozilla Project shipping Firefox with that cert? It just causes FUD.
This is an override for the forged cert, with all trust bits removed. That way should the demo cert make it into the wild users will get a hard failure rather than an overridable one. We worried that many users are trained to accept "expired" certs as fairly normal and not notice it was an expired intermediate rather than the end cert. For more information please see https://bugzilla.mozilla.org/show_bug.cgi?id=471715 -Dan Veditz
Current thread:
- Firefox 3.6 for Windows includes a forged CA cert Francis Litterio (Mar 22)
- Re: Firefox 3.6 for Windows includes a forged CA cert dveditz (Mar 23)
- Re: Firefox 3.6 for Windows includes a forged CA cert Mike Duncan (Mar 23)
- Re: Firefox 3.6 for Windows includes a forged CA cert Marcus Meissner (Mar 23)
- <Possible follow-ups>
- Re: Firefox 3.6 for Windows includes a forged CA cert adam (Mar 23)