Hmmmm...
Asking for responsible stewardship over a key economic power on the Internet... Should'nt that fall under the "Bleeding Obvious" category and why has this not been requested from day one?
Mozilla has directed all web authentication authorities trusted by its software to conduct security audits to ensure they aren't being abused to issue counterfeit secure sockets layer certificates. Thursday's note from Kathleen Wilson, who oversees the certificate authorities included in the Firefox browser and Thunderbird …
If this actually gets followed through fully. I am happy that at least my preferred browser maker has made a statement of intent to follow up, but we might see one or two days before the deadline a reversal from Mozilla.
I sincerely hope that doesn't happen though and we see a few more point upgrades to blacklist non-conforming CA's.
OCSP *can* use certificate serial numbers, the request contains hash of common name and public key too. OCSP can be used both as a frontend to CRL and as a whitelist mechanism. Problem is that it's implementation specific.
We need a whitelist mechanism for certificates. CAs publishing hash list of all signed certificates would be a good start (that needed to be cross-checked at least yearly with actual certificates by a third party).
A classic example of where the Internet can go wrong.. When I learned the technical aspects of certification (with many thanks to OpenSSL, its documentation and the many people who shared their experiences on the Net) it got me curious as to how the main browsers handled this. Better put: how would I get my own CA certificate listed ?
Step one: bring money.
Now, this doesn't fully apply when you apply to Mozilla directly, but what about parties who buy themselves into the market by getting their CA certificate accepted (signed) by another CA who is already listed in the major browsers ?
So by getting "CA certified" through channels like Thawte, Verisign and others?
Its a late for Mozilla to start showing some muscle here because the damage has already been done. I don't mean Diginotar; I'm referring to the scenario described above.
And there is another issue to consider... If Microsoft includes a certificate in their OS, do you really think Mozilla can allow itself to simply ignore the whole thing and insist people contact them directly? When there's a browser war going on; where the "user experience" is what matters most?
I don't think so! Theoretical scenario: "Man, FF is lame; I go to website X and I can't even access it without errors! Explorer has no issues, seems Chrome also works. Guess those are the better browsers then".
Check for yourself:
http://www.mozilla.org/projects/security/certs/included/
It appears as if Mozilla has /many/ more CA's listed in their browser than MS has. On my Win7 I have 28 trusted root certificates, where 2 have been added by me, vs. 49 within the Mozilla browsers (according to the list mentioned above).
"Man, FF is lame; I go to website X and I can't even access it without errors! Explorer has no issues, seems Chrome also works. Guess those are the better browsers then."
Well, yeah, they are, *if* you don't mind your wallet being emptied by some porn baron in a foreign country. Judging from the huge market share maintained over many years by IE6, *most* people don't mind that and therefore IE6 *is* (for them) a better browser.
Firefox's market is those who actually bother to read error messages and want to retain some control over their computer. That's a *niche* market. Oh sure, everyone *talks* about wanting to be safe on the internet, but almost nobody is actually willing to invest the time and energy required to do so. Objectively speaking, then, they actually *don't* care.
I'm fine with that. It's a free country.
Yeah, coz typical end-users are really going to spend time and energy discriminating between a root certificate from a reputable authority and one from (say) DigiNotar.
The current practice of bundling is probably the only thing that stops Verisign having a total monopoly. (Since most of your customers will have heard of Verisign and won't have heard of anyone else, and those customers are the ones deciding whether your certificate is trustworthy, who are you going to get to issue your certificate?)
c'mon , developers dictating PKI CAs security policy? Admittedly, there seem to be nobody better placed since customers don't seem to care (as they should!) but it only serves to prove that PKI system have not worked as well as hoped for.
Since PGP is not really viable alternative either (at least in SSL space) there seem to be some space for future invention left, which is what Mozzilla should focus on. They do come with nifty ideas from time to time, e.g. browser Id user authentication.
CAs clearly don't work. Comodohacker and DigiNotar has clearly showed this. Revoking the root certs of one CA doesn't help the next time a CA gets hacked. CAs are a single point of failure, and single points of failure should be avoided. Clients such as web browsers should update their software and use DNSSEC instead to validate SSL certs (DANE). DNS is a native internet architecture, distributed, and with DNSSEC it's secured and cryptographically signed.
Create a database that maps Domain names to Certificate authorities. That way if a domain is listed twice, then it is something that requires some attention, it would certainly have prevented the DigiNotar attack from happening as long as it did.
ICANN would be a good candidate to run this.
DNSsec also needs to be rolled out completely, what the hell is taking it so long?
While either or both of these will not be 100% secure, nothing ever will be. Everything can be broken, bypassed, spoofed, etc.
.deb
packages