Full Disclosure mailing list archives

Re: Trustwave and Mozilla (Resolved)

From: decoder <decoder () own-hero net>
Date: Thu, 23 Feb 2012 02:31:48 +0100

Hi,

some important points seem missing here. First of all, Mozilla sent a CA
communications that clarifies that issuing MitM certificates is not
acceptable by the policy (in fact, the policy was *not* clear about that
before, this case has never been there). Furthermore, all other CAs (and
according to Trustwave, quite a few CAs consider this "common
practice"), have been given a deadline by which all of these
certificates have to be disclosed (so they can be blocked) and revoked.
Any CA not following this faces removal from NSS, which seems a clear
statement to me.

How is that compatible to "violating the end user"? In fact, revoking
the Trustwave CA wouldn't have helped a lot to protect the end-user. It
wouldn't have been possible to call out to other CAs and get them to
stop their MitM business because every such CA disclosing their MitM
cert policy would have been removed as well (otherwise it would be
unfair, wouldn't it?).

It seems to me that the situation is by far not as easy as some people
try to put it. Oh and by the way: Have you heard of any other browser
vendor taking *any* steps against Trustwave?


Best,

Chris

On 02/23/2012 01:12 AM, Jeffrey Walton wrote:

It appears to be official.

Trustwave issued MitM certificates, which is deceptive, unethical, and
contrary to its agreement for inclusion.

Mozilla just rewarded their violations of trust by continuing their
inclusion. Apparently, agreements between Mozilla and CAs have no
veracity as both are more than happy to violate the end user.

Original Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=724929
NSS and Firefox Update: https://bugzilla.mozilla.org/show_bug.cgi?id=728617

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Trustwave and Mozilla (Resolved) Jeffrey Walton (Feb 22)
- Re: Trustwave and Mozilla (Resolved) decoder (Feb 22)
  - Re: Trustwave and Mozilla (Resolved) Jeffrey Walton (Feb 22)
- Re: Trustwave and Mozilla (Resolved) Al Billings (Feb 23)
  - Re: Trustwave and Mozilla (Resolved) Jeffrey Walton (Feb 22)
- Re: Trustwave and Mozilla (Resolved) Wesley Kerfoot (Feb 23)
  - Re: Trustwave and Mozilla (Resolved) Ramo (Feb 24)
- Re: [funsec] Trustwave and Mozilla (Resolved) David C Frier (Feb 24)
  - Re: [funsec] Trustwave and Mozilla (Resolved) Marcus Meissner (Feb 24)