Full Disclosure mailing list archives
Re: Trustwave and Mozilla
From: decoder <decoder () own-hero net>
Date: Mon, 13 Feb 2012 13:52:41 +0100
Hi Jeffrey, On 02/12/2012 11:54 AM, Jeffrey Walton wrote:
For what its worth, pinning the certificate can usually remediate these sorts of MitM attacks, but Mozilla subverted it: http://ssl.entrust.net/blog/?p=615.
Please take a look at our security roadmap ( https://wiki.mozilla.org/Security/Roadmap ). You will see that CA pinning is a P1 Feature which means it is actively being worked on. In fact our update service does already some sort of pinning (for securely retrieving updates), it's just that failures are not reported right now. It's possible that this sort of pinning could be extended to other services and also alert the user (and/or us, if that is possible somehow). Cheers, Chris
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Trustwave and Mozilla Jeffrey Walton (Feb 12)
- Re: Trustwave and Mozilla Valdis . Kletnieks (Feb 12)
- Re: Trustwave and Mozilla decoder (Feb 13)
- Re: Trustwave and Mozilla Nick Boyce (Feb 13)
- Re: Trustwave and Mozilla Nick Boyce (Feb 13)