=== chris15 is now known as chris14 | ||
JanC | https://www.washingtonpost.com/technology/2022/11/30/trustcor-internet-authority-mozilla/ → are you working on removing TrustCor CAs from browsers, ca-certificates, ...? | 18:40 |
---|---|---|
mdeslaur | JanC: we can't really for ca-certificates...mozilla isn't removing the CA, they are rejecting certs issues after a certain date...something that ca-certificates, openssl, gnutls don't support | 19:13 |
mdeslaur | JanC: for firefox and thunderbird, they use their own embedded nss, so it will get updated with the next browser updates | 19:13 |
JanC | that seems problematic, as they can easily antidate their own spyware certificates | 19:13 |
mdeslaur | hrm, yeah, that's true...I wonder why mozilla chose to go that route instead of just removing it | 19:14 |
mdeslaur | and I wonder if anything legitimate was signed by them | 19:14 |
mdeslaur | if not... | 19:14 |
mdeslaur | I'll have to see if there's been any updates in the mozilla bugs | 19:15 |
JanC | it's possible TrustCor did some legit stuff to cover for the spyware, but IMO better to block those than allow the spyware (the faster their customers are aware the better!) | 19:16 |
JanC | I mean, legit customers would be even more vulnerable | 19:17 |
JanC | I wish the peopel who distribute these CA collections would do more due diligence on CAs :-( | 19:19 |
JanC | any company that uses anonymous tax haven addresses & PO Boxes as their only company addresses should never be allowed to be a CA | 19:20 |
mdeslaur | this is mozilla's commit https://hg.mozilla.org/projects/nss/rev/a871902c05907db3150ac8b7f6a80dd01b5d38c9 | 19:22 |
mdeslaur | perhaps I'm misinterpreting CKA_NSS_SERVER_DISTRUST_AFTER | 19:22 |
mdeslaur | I thought it meant certs they signed after that date, but now I think I'm wrong | 19:22 |
JanC | you might be right about what they do, but I think that is wrong | 19:23 |
JanC | that only makes sense when a CA can be trusted and only the certificate is compromised | 19:24 |
JanC | or something like that | 19:24 |
mdeslaur | so this was their decision: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ | 19:27 |
mdeslaur | "There is no evidence of TrustCor mis-issuing TLS or SMIME certificates."..."If evidence is found that the CA has mis-used certificates or the CA backdates certificates to bypass the distrust-after settings, then we will remove the root certificates from Mozilla’s root store in an expedited timeline, without waiting for the end-entity TLS certificates to expire." | 19:27 |
mdeslaur | I'm curious if any legitimate services will be blocked if we remove the cert completely | 19:29 |
mdeslaur | we did something similar in the past with a cert that mozilla had just dated and we got burned, so I'm hesitant to remove something mozilla hasn't | 19:29 |
JanC | supposedly they've worked with a company that makes secure traffic inspection boxes in the past... | 19:32 |
mdeslaur | lol, that doesn't sound good :) | 19:32 |
JanC | stuff like """TrustCor operates the mail encryption product MsgSafe and a beta version of MsgSafe contained the only known unobfuscated version of the spyware SDK.""" are even less assuring | 19:36 |
JanC | selling "secure mail" products that contain spyware? | 19:36 |
JanC | https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/WJXUELicBQAJ? | 19:36 |
JanC | """TrustCor uses Princeton Audit Group (PAG) as its auditor. | 19:38 |
JanC | According to CCADB records, PAG does not audit any other publicly-trusted CAs. """ | 19:38 |
JanC | they have been sued for registering domains that almost looked like company domains too (intended for phishing?) | 19:40 |
mdeslaur | ok, I think you've convinced me...let me think about it and I'll probably prepare ca-certificates updates on monday once I've gotten an agreement from the rest of the team | 19:40 |
JanC | maybe discuss it with others (other distros, upstream?) | 19:40 |
JanC | https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2018-1096#:~:text=Investigations%20conducted%20by,clients%20or%20employees | 19:41 |
JanC | I can't see any legitimate reason for a legitimate CA to buy any "bfgoodrich" domains | 19:42 |
JanC | that "safe mail" tool is supposedly often used by scams & phishing & such also | 19:43 |
JanC | (but that's probably true about some legit safe mail providers) | 19:44 |
mdeslaur | I've asked the other in the team if they are in agreement and I'll remove them | 19:44 |
mdeslaur | *others | 19:44 |
JanC | I suggest reading that WP article (& their previous one) + everything they link to :) | 19:47 |
JanC | personally I have blocked them, but it's unlikely I will encounter any of their legit uses :) | 19:48 |
JanC | """I have listed a few of the public audits I have found here [1], and Mozilla | 19:53 |
JanC | also has them listed here [2]. What I've found is that in the standard and BR | 19:53 |
JanC | audits for 2018, 2019, 2020, and 2021, as well as the code signing audits for | 19:53 |
JanC | 2020 and 2021, their auditor consistently describe the CA's "Certification | 19:53 |
JanC | Authority (CA) operations at Toronto, Ontario, Canada". According to what I've | 19:53 |
JanC | learned from this thread (please correct me if I am wrong) TrustCor was not a | 19:53 |
JanC | Canadian company during this time and did not have an office in Canada. This is ten different audits over four years.""" | 19:53 |
JanC | https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/Equ9-qk5BQAJ | 20:02 |
JanC | """Despite advertising "end-to-end encrypted email" (see above screenshot, taken today), MsgSafe does not actually provide end-to-end encryption (E2EE), as the term is commonly understood""" | 20:02 |
JanC | mdeslaur: seems like mostly No-IP customers would be impacted? | 20:07 |
JanC | that might be significant number of people... | 20:08 |
JanC | although maybe it's only the free tier | 20:22 |
=== brassado is now known as sam_sepi0l | ||
mdeslaur | JanC: I will be preparing ca-certificates updates first thing monday morning. | 23:24 |
JanC | okay :) | 23:25 |
JanC | I hope the fall-out isn't too big | 23:26 |
JanC | most people only would encounter those certificates in their browser anyway | 23:27 |
JanC | especially those who wouldn't understand what's happening | 23:28 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!