Re: [tlug] firefox SSL certs

["Stephen J. Turnbull" <stephen@example.com>]

Philipp Wollermann writes:

Thanks for the correction on the meaning of the unintelligible link
names.

 > > Of course what this means is that ultimately you trust Mozilla
 > > ....

 > Mozilla, Debian and all others recently pushed an urgent security
 > update which removes the root certificate of the DigiNotar CA from
 > the trust store (aka /etc/ssl/certs).

Sure, but there's a fair amount of controversy about whether they're
strict enough.  A similar incident happened with Comodo, but their
certificate was not removed because in the judgment of the Mozilla
team they responded "appropriately" -- but some people disgree.  And
as one of the Mozilla team pointed out inadvertantly, except for
Comodo (known to do a good job by Mozilla standards) and DigiNotar
(the reverse), all the other agencies are either doing a good job or
better at hiding their flaws than DigiNotar ... and neither we nor
Mozilla know which is true for any given agency.

So what it comes down to is most people just trust Mozilla (and it's
widespread; utilities like curl also "trust" Mozilla).  I don't see a
practical alternative, but users should be aware that that is what
they are doing.

 > See this security advisory: http://www.debian.org/security/2011/dsa-2299
 > 
 > By the way, all SSL certificates in /etc/ssl/certs are supplied via
 > this package:

*sigh* Putting the hashes in that directory is user-unfriendly
organization.