=== chris15 is now known as chris14
JanChttps://www.washingtonpost.com/technology/2022/11/30/trustcor-internet-authority-mozilla/ → are you working on removing TrustCor CAs from browsers, ca-certificates, ...?18:40
mdeslaurJanC: we can't really for ca-certificates...mozilla isn't removing the CA, they are rejecting certs issues after a certain date...something that ca-certificates, openssl, gnutls don't support19:13
mdeslaurJanC: for firefox and thunderbird, they use their own embedded nss, so it will get updated with the next browser updates19:13
JanCthat seems problematic, as they can easily antidate their own spyware certificates19:13
mdeslaurhrm, yeah, that's true...I wonder why mozilla chose to go that route instead of just removing it19:14
mdeslaurand I wonder if anything legitimate was signed by them19:14
mdeslaurif not...19:14
mdeslaurI'll have to see if there's been any updates in the mozilla bugs19:15
JanCit's possible TrustCor did some legit stuff to cover for the spyware, but IMO better to block those than allow the spyware (the faster their customers are aware the better!)19:16
JanCI mean, legit customers would be even more vulnerable19:17
JanCI wish the peopel who distribute these CA collections would do more due diligence on CAs  :-(19:19
JanCany company that uses anonymous tax haven addresses & PO Boxes as their only company addresses should never be allowed to be a CA19:20
mdeslaurthis is mozilla's commit https://hg.mozilla.org/projects/nss/rev/a871902c05907db3150ac8b7f6a80dd01b5d38c919:22
mdeslaurperhaps I'm misinterpreting CKA_NSS_SERVER_DISTRUST_AFTER19:22
mdeslaurI thought it meant certs they signed after that date, but now I think I'm wrong19:22
JanCyou might be right about what they do, but I think that is wrong19:23
JanCthat only makes sense when a CA can be trusted and only the certificate is compromised19:24
JanCor something like that19:24
mdeslaurso this was their decision: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ19:27
mdeslaur"There is no evidence of TrustCor mis-issuing TLS or SMIME certificates."..."If evidence is found that the CA has mis-used certificates or the CA backdates certificates to bypass the distrust-after settings, then we will remove the root certificates from Mozilla’s root store in an expedited timeline, without waiting for the end-entity TLS certificates to expire."19:27
mdeslaurI'm curious if any legitimate services will be blocked if we remove the cert completely19:29
mdeslaurwe did something similar in the past with a cert that mozilla had just dated and we got burned, so I'm hesitant to remove something mozilla hasn't19:29
JanCsupposedly they've worked with a company that makes secure traffic inspection boxes in the past...19:32
mdeslaurlol, that doesn't sound good :)19:32
JanCstuff like """TrustCor operates the mail encryption product MsgSafe and a beta version of MsgSafe contained the only known unobfuscated version of the spyware SDK.""" are even less assuring19:36
JanCselling "secure mail" products that contain spyware?19:36
JanC"""TrustCor uses Princeton Audit Group (PAG) as its auditor.19:38
JanCAccording to CCADB records, PAG does not audit any other publicly-trusted CAs. """19:38
JanCthey have been sued for registering domains that almost looked like company domains too (intended for phishing?)19:40
mdeslaurok, I think you've convinced me...let me think about it and I'll probably prepare ca-certificates updates on monday once I've gotten an agreement from the rest of the team19:40
JanCmaybe discuss it with others (other distros, upstream?)19:40
JanCI can't see any legitimate reason for a legitimate CA to buy any "bfgoodrich" domains19:42
JanCthat "safe mail" tool is supposedly often used by scams & phishing & such also19:43
JanC(but that's probably true about some legit safe mail providers)19:44
mdeslaurI've asked the other in the team if they are in agreement and I'll remove them19:44
JanCI suggest reading that WP article (& their previous one) + everything they link to  :)19:47
JanCpersonally I have blocked them, but it's unlikely I will encounter any of their legit uses  :)19:48
JanC"""I have listed a few of the public audits I have found here [1], and Mozilla19:53
JanCalso has them listed here [2]. What I've found is that in the standard and BR19:53
JanCaudits for 2018, 2019, 2020, and 2021, as well as the code signing audits for19:53
JanC2020 and 2021, their auditor consistently describe the CA's "Certification19:53
JanCAuthority (CA) operations at Toronto, Ontario, Canada". According to what I've19:53
JanClearned from this thread (please correct me if I am wrong) TrustCor was not a19:53
JanCCanadian company during this time and did not have an office in Canada. This is ten different audits over four years."""19:53
JanC"""Despite advertising "end-to-end encrypted email" (see above screenshot, taken today), MsgSafe does not actually provide end-to-end encryption (E2EE), as the term is commonly understood"""20:02
JanCmdeslaur: seems like mostly No-IP customers would be impacted?20:07
JanCthat might be significant number of people...20:08
JanCalthough maybe it's only the free tier20:22
=== brassado is now known as sam_sepi0l
mdeslaurJanC: I will be preparing ca-certificates updates first thing monday morning.23:24
JanCokay  :)23:25
JanCI hope the fall-out isn't too big23:26
JanCmost people only would encounter those certificates in their browser anyway23:27
JanCespecially those who wouldn't understand what's happening23:28

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!