Bugtraq mailing list archives

Re: Firefox 3.6 for Windows includes a forged CA cert

From: dveditz () cruzio com
Date: Mon, 22 Mar 2010 11:34:21 -0700 (PDT)

a cert labeled "MD5 Collisions Inc (http://www.phreedom.org/md5)" [...]
Yes, it's expired, so it poses no real threat, but why is the Mozilla
Project shipping Firefox with that cert?  It just causes FUD.


This is an override for the forged cert, with all trust bits removed. That
way should the demo cert make it into the wild users will get a hard
failure rather than an overridable one. We worried that many users are
trained to accept "expired" certs as fairly normal and not notice it was
an expired intermediate rather than the end cert.

For more information please see
https://bugzilla.mozilla.org/show_bug.cgi?id=471715

-Dan Veditz

Current thread:

Firefox 3.6 for Windows includes a forged CA cert Francis Litterio (Mar 22)
- Re: Firefox 3.6 for Windows includes a forged CA cert dveditz (Mar 23)
- Re: Firefox 3.6 for Windows includes a forged CA cert Mike Duncan (Mar 23)
- Re: Firefox 3.6 for Windows includes a forged CA cert Marcus Meissner (Mar 23)
- <Possible follow-ups>
- Re: Firefox 3.6 for Windows includes a forged CA cert adam (Mar 23)