Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Asks All CAs To Audit Security Systems

Posted by timothy on from the security-to-electronics-for-an-aisle-sweep dept.

Trailrunner7 writes "Already having revoked trust in all of the root certificates issued by DigiNotar, Mozilla is taking steps to avoid having to repeat that process with any other certificate authority trusted by Firefox, asking all of the CAs involved in the root program to conduct audits of their PKIs and verify that two-factor authentication and other safeguards are in place to protect against the issuance of rogue certificates."

3 of 77 comments (clear)

  1. If you ask nicely enough... by dremspider · · Score: 5, Insightful

    If you ask nicely enough maybe they will do something about all their problems. What needs to happen is Mozilla needs to get with Microsoft, Chrome, Apple etc and say unless you submit yourself to an INDEPENDENT audit you will be revoked from our default trusted root certs. SSL has been destroyed, not because of protocol problems but because of the companies running the show. It was a race to the bottom from the beginning. Who could provide the cheapest service and make the most profit off of it. This model doesn't mesh well with Security and never will. Once one company operates their systems cheaply, everyone else must follow so as to maintain low prices.

    1. Re:If you ask nicely enough... by ObsessiveMathsFreak · · Score: 5, Insightful

      What needs to happen is Mozilla needs to get with Microsoft, Chrome, Apple etc and say unless you submit yourself to an INDEPENDENT audit you will be revoked from our default trusted root certs.

      The recent "Too big to fail" CA == Bank comparision story was all too succinct a comparision, and this method won't work for the same reason an independent audit of the banks won't work. In short, most if not all CAs are likely security bankrupt.

      Investigation is likely to find that CAs are only one step above flight by night organisations, with slipshod practices, procedures and security at every possible level, from the main servers to the secretaries email inbox. Are you ready to deal with the fallout from such revelations?

      Are you ready to actually revoke security authentication from millions of sites across the internet? Are you ready to deal with every major browser throwing a blue screaming fit every time a user connects to a major web commerce login? Are you ready and able unclog a seized up system, signed up to by every major player on the internet, and which a substantial portion of the modern net itself now rests on?

      The major problem here is the browsers, and Mozilla's actions here--requesting the CAs to police themselves--are exactly analogous to how our international banking system was woefully mismanaged over the last decades. What Mozilla should be doing is moving away from reliance on the Certification Authority system altogether. It has failed. It has become dangerous to users and website. It must be replaced or abandoned.

      Removing the DEFCON 2 warnings for self signed certs will be the first step in the right direction. Until then, Mozilla is just continuing to be part of the problem.

      --
      May the Maths Be with you!
  2. Two factor, three factor by roman_mir · · Score: 5, Insightful

    Who can trust a CA? Why would you trust a CA? How did a CA earn your trust?

    Mozilla, it's time to own up. This is a bunch of nonsense. Stop treating self signed certificates like cancer, provide a way to see the fingerprint clearly, don't bother with the 'lock' icon and start working on some real innovation - how to do trust by having distributed lists of fingerprints, signatures, whatever. Something that doesn't rely on a signing authority at all.

    You want to do real innovation instead of looking at hiding address bar from the users? Do this instead.

    --
    You can't handle the truth.