IE7 is also ginging a warning page when the certificate is from a non trusted party or expired.
It is just good that IE or FireFox warns if it could not perfectly validate the certificate. after that is should be to the user to allow or disallow access
Mozilla Firefox is correct in it's treatment of certificates
Sorry folks, Mozilla got it right! I'm an Information Security person for a living and this REALLY needs to be done! I have NO problems with the way that Firefox does this (they MIGHT want to provide more "user friendly" explanation text, but I have no problems with it as it sits!)...
Just not enough. You need even more
Recent studies by heise Security staff of several thousand valid certificates, none of which generated an error in a broswer, found that approximately one in 30 of these used weak keys - an alarmingly high number. Among these were online shops where people would be expected to enter their credit card details.
For a certificate to be accepted by a browser without issuing a warning, the certificate needs to be issued by a recognised certification authority (CA). All of those that we contacted said that they would revoke any weak keys and freely replace them, but it seems clear that not many certificate owners have checked and replaced their certificates.
More at:
http://www.heise-online.co.uk/news/Many-weak-web-server-certificates-threaten-online-shopping--/111023
I agree with the warning - long overdue in my opinion...
I agree with the warning - long overdue in my opinion.
Why not recognize DoD certs?
My only question is why didn't Mozilla decide to put the DoD onto their trusted list of cert authenticators? If we can't trust our own DoD than why trust anyone?
Why not to recognize DoD certs.
There is nothing stopping Joe Blow from becoming his own CA, and issuing his own certificates, signed by his CA. All you need to become your own CA is the ability to read a man page and use openssl. The reason not to trust ad hoc CAs is that this is a slightly more arcane way to spoof certificates. Real CAs are trusted not just by the fact that it costs money to get them, but by the fact that they're an independent agency ostensibly in the CA business.
MIT is an example of an institution that is it's own CA. I personally trust the people who setup that CA. The difference is while MIT does force its affiliates to accept its CA to use internal special https sites, it does not force those onto the public sites. If any institution can't fork out USD $15 for a real cert, then perhaps it should take down its web server and communicate with its customers via first class mail.
Finally, there's nothing stopping you from personally adding a DoD CA to your browser list of trusted CAs. Feel free from reading up on how to do this if you feel so inclined.
We all should go to ipV6..
We should all go to ipV6. I have been looking for ipV6 soho routers and asking my isp for ipv6. So much without success. If the the other end can be verified and authenicated then it should be easy to track down the criminals that are causing great harm to the general public use of the internet.
The US Government is moving to ipV6. So should the general public. Ask your equipment vendors for ipV6 and ask your isp for ipV6.
And how would that help?
I fail to see how IPv6 would help in this situation. If you think that:
a) IPv6 offers end-to-end security by default
or
b) IPv6 security is not based on the same model of keys/certificates/trust as the present system,
then I strongly suggest you do some more reading on the subject.
IPv6 is nothing more than another protocol. It's not a panacea, and it will not solve this kind of problems.
Mozilla is correct in it's Certificate of Authoritys it is about
The problem with Certificate of Authoritys that are old and outdated is some are still using 1024 bits instead of 2048 or 4096 bit with either SSL v 3.0 or TLS along with AES 128 or 256. The old Certificates usually comes with mid 90's Certificate of Authoritys 1024 bit SSL 2 with 56 bit thus tunneling and encapsulation occurs and wreaks havoc on the System infrasturcture. I say stat making including Public agencys use 2048 or 4096 bit like everybody else there is no excuse for outdated Certificate of Authoritys
Open standards
I applaud Mozilla for its efforts to better ensure data privacy and protection. We clearly need more open standards though in the SSL/encryption space so that keys and certs issued are recognized--no matter the vendor/issuer.
There's an interesting study on the biz cost of poorly managed certs at http://www.venafi.com/Collateral_Library/VenafiEncryptionStudy2007.pdf
What's the big deal
Other browsers (IE, Opera, Netscape, Safari, Chameleon, etc. ad naseum) have been throwing up warnings for expired and SSC certificates for years.
Post new comment