Tuesday, August 12, 2008

New blog, and thoughts on Firefox 3 self-signed cert behavior

We launched a new blog to share some thoughts about the security practices at my employer.

The blog is here: http://www.thesecuritypractice.com/.

The basic introduction and purpose can be found here: http://www.thesecuritypractice.com/the_security_practice/who-are-we.html

And, a post about Firefox-3.0's handling of self-signed certificates can be found here.

This was in reaction to a piece published on Risks a bit ago - "Firefox 3's Step Backwards For Self-Signed Certificates".


Uthacalthing said...

You're rendering yourself irrelevant for real-world security purposes.

We're training our staff and users to understand that certs signed by CAs recognized by default by browsers (particularly the malfunctioning browsers like MS IE and Firefox 3) are necessary only to make those annoyingly unnecessary scary dialog boxes get the hell out of the way of their on-line experience.

The certs recognized by default don't assure identity of the remote endpoint. The certs are available as long as the check clears. Liability is expressly disclaimed. You're doing it wrong!

We're going to have to do something else to secure our transactions.

Thanks a whole lot, you &*($#*$(#s.

Andy Steingruebl said...

I guess by your reasoning we're also training our users to trust their browser to not just copy their data somewhere else too when they do a form post.

There are always going to be trust decisions somewhere. Having an SSL cert signed by a CA doesn't mean you are trusted, it does however generally mean you own the domain name you claim to.

Have there been instances where the CAs have made mistakes in issuing certificates? - yes. Have there been a lot of these? No. Do they have legal liability, No. Does the Mozilla team have liability if they don't validate a certificate properly? No. Does your OS manufacturer have liability if they don't do things right? Probably not.

I'm not exactly sure where you're going with this.

As constituted CA signed certificates prevent us from one form of MITM attack. That's generally the extent of it. Given that its a fairly easy attack to pull off on a local network such as a cafe, coffee shop, airport, etc. I think its worth mitigating that attack, even if it isn't perfect.

You obviously disagree.

But, perhaps the name calling is a bit much?