=== chris15 is now known as chris14 [18:40] https://www.washingtonpost.com/technology/2022/11/30/trustcor-internet-authority-mozilla/ → are you working on removing TrustCor CAs from browsers, ca-certificates, ...? [19:13] JanC: we can't really for ca-certificates...mozilla isn't removing the CA, they are rejecting certs issues after a certain date...something that ca-certificates, openssl, gnutls don't support [19:13] JanC: for firefox and thunderbird, they use their own embedded nss, so it will get updated with the next browser updates [19:13] that seems problematic, as they can easily antidate their own spyware certificates [19:14] hrm, yeah, that's true...I wonder why mozilla chose to go that route instead of just removing it [19:14] and I wonder if anything legitimate was signed by them [19:14] if not... [19:15] I'll have to see if there's been any updates in the mozilla bugs [19:16] it's possible TrustCor did some legit stuff to cover for the spyware, but IMO better to block those than allow the spyware (the faster their customers are aware the better!) [19:17] I mean, legit customers would be even more vulnerable [19:19] I wish the peopel who distribute these CA collections would do more due diligence on CAs :-( [19:20] any company that uses anonymous tax haven addresses & PO Boxes as their only company addresses should never be allowed to be a CA [19:22] this is mozilla's commit https://hg.mozilla.org/projects/nss/rev/a871902c05907db3150ac8b7f6a80dd01b5d38c9 [19:22] perhaps I'm misinterpreting CKA_NSS_SERVER_DISTRUST_AFTER [19:22] I thought it meant certs they signed after that date, but now I think I'm wrong [19:23] you might be right about what they do, but I think that is wrong [19:24] that only makes sense when a CA can be trusted and only the certificate is compromised [19:24] or something like that [19:27] so this was their decision: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ [19:27] "There is no evidence of TrustCor mis-issuing TLS or SMIME certificates."..."If evidence is found that the CA has mis-used certificates or the CA backdates certificates to bypass the distrust-after settings, then we will remove the root certificates from Mozilla’s root store in an expedited timeline, without waiting for the end-entity TLS certificates to expire." [19:29] I'm curious if any legitimate services will be blocked if we remove the cert completely [19:29] we did something similar in the past with a cert that mozilla had just dated and we got burned, so I'm hesitant to remove something mozilla hasn't [19:32] supposedly they've worked with a company that makes secure traffic inspection boxes in the past... [19:32] lol, that doesn't sound good :) [19:36] stuff like """TrustCor operates the mail encryption product MsgSafe and a beta version of MsgSafe contained the only known unobfuscated version of the spyware SDK.""" are even less assuring [19:36] selling "secure mail" products that contain spyware? [19:36] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/WJXUELicBQAJ? [19:38] """TrustCor uses Princeton Audit Group (PAG) as its auditor. [19:38] According to CCADB records, PAG does not audit any other publicly-trusted CAs. """ [19:40] they have been sued for registering domains that almost looked like company domains too (intended for phishing?) [19:40] ok, I think you've convinced me...let me think about it and I'll probably prepare ca-certificates updates on monday once I've gotten an agreement from the rest of the team [19:40] maybe discuss it with others (other distros, upstream?) [19:41] https://www.wipo.int/amc/en/domains/search/text.jsp?case=D2018-1096#:~:text=Investigations%20conducted%20by,clients%20or%20employees [19:42] I can't see any legitimate reason for a legitimate CA to buy any "bfgoodrich" domains [19:43] that "safe mail" tool is supposedly often used by scams & phishing & such also [19:44] (but that's probably true about some legit safe mail providers) [19:44] I've asked the other in the team if they are in agreement and I'll remove them [19:44] *others [19:47] I suggest reading that WP article (& their previous one) + everything they link to :) [19:48] personally I have blocked them, but it's unlikely I will encounter any of their legit uses :) [19:53] """I have listed a few of the public audits I have found here [1], and Mozilla [19:53] also has them listed here [2]. What I've found is that in the standard and BR [19:53] audits for 2018, 2019, 2020, and 2021, as well as the code signing audits for [19:53] 2020 and 2021, their auditor consistently describe the CA's "Certification [19:53] Authority (CA) operations at Toronto, Ontario, Canada". According to what I've [19:53] learned from this thread (please correct me if I am wrong) TrustCor was not a [19:53] Canadian company during this time and did not have an office in Canada. This is ten different audits over four years.""" [20:02] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/Equ9-qk5BQAJ [20:02] """Despite advertising "end-to-end encrypted email" (see above screenshot, taken today), MsgSafe does not actually provide end-to-end encryption (E2EE), as the term is commonly understood""" [20:07] mdeslaur: seems like mostly No-IP customers would be impacted? [20:08] that might be significant number of people... [20:22] although maybe it's only the free tier === brassado is now known as sam_sepi0l [23:24] JanC: I will be preparing ca-certificates updates first thing monday morning. [23:25] okay :) [23:26] I hope the fall-out isn't too big [23:27] most people only would encounter those certificates in their browser anyway [23:28] especially those who wouldn't understand what's happening