Obviously such attacks are possible because of the application security, renegotiation just makes it easier. BTW, here is a tool to check if your server is vulnerable to renegotiation attacks: https://www.ssllabs.com/ssldb/
BTW, clients (e.g. browsers) are pretty save - there is NO need to panic!!
Well, in our solar system at least one planet is spinning the other way around: http://wiki.answers.com/Q/Why_does_venus_spin_the_other_way
It's not quite the same like orbiting into the opposite direction, but the Venus apparently received a nudge or two as well in order to spin the other way around. Such accidents appear to happen.
Correct, specific plans exist for various scenarios. Concerning the web-of-trust, there are some inherent problems without a unifying institutional body. See, security has some clear rules which are easier to enforce in a corporate environment. Specially if you work at StartCom;-)
And yes, I heard about "Perspectives", so it might have currently a single-point-of-failure problem. Personally I don't believe that it should provide a means for self-signed certificates. It might however provide a good additional layer to existing efforts.
The reason for not disclosing anything before is perhaps quite easy to understand. Minor events are logged in the ongoing events logs and no further actions are required. Events in the magnitude of issuing a certificate wrongfully due to a bug and which requires modifications to the systems, require detailed reporting (as seen in the "critical event report"). Those reports were reviewed in time by relevant parties and will be presented to the auditors during auditing. A major event like a CA key compromise (we don't sign directly from the root) would have to be made public and handled according to the "disaster recovery guidelines". In such an event, all software vendors, subscribers and the general public must be informed immediately.
The event which happened recently wasn't a major event, but obviously important enough to act accordingly and issue the critical event report. Important to note that no third party could have relied on and have taken damage. Therefore the resolution was appropriate. The disclosure was done in order to prevent any rumors and false accusations about what did and what not happened (once it was published by Mike).
That's because your company distributed their root or server certificate with the active directory or domain controller. Chrome currently relies on the windows cert store so does IE obviously. Not so Mozilla Firefox and hence the error.
The most likely cause is, that your installation isn't complete and the CA chain sent out by your server is missing something. Check the FAQ page and/or installation instructions for more information.
It's the validation which expires after 30 days, not the certificates. StartSSL implements a two stage process for validating attributes like domains, email, identity and organizations and for actually creating and issuing certificates. All certificates of StartCom are valid for one year including the free ones (Class 1).
Opera never shipped the Cacert root at any time nor does it now. Never ever!
That's pure nonsense. No CA ever paid a dime to the Mozilla Foundation or Mozilla Corporation (as opposed to the days of Netscape). Poke around http://groups.google.com/group/mozilla.dev.tech.crypto/topics to get a clue about how Mozilla handles inclusion of CAs.
It's not just there, it has to be verified or it's not there. When visiting mozilla.org which has a certificate from a legitimate CA issued to mozilla.org AND Mozilla Foundation than you can be pretty sure that this IS the site of Mozilla and nothing else.
You might even want to give them money (and/or provide your credit card or whatever) but ONLY if they are really Mozilla and not some fake site taking your details, right!? That's why identity validation isn't just there, it's there when it's verified (usually)!
Now, you know the site of Mozilla, but what about a site you never visited but still want to provide your details and/or make a purchase? Then you probably prefer to know who they are before doing so...and some known authority confirming that they are who they claim to be.
StartCom has currently two CA root and the older one has been around for a while already. Speaking about the older one, Mozilla, Apple and KDE (most likely some others) ship them. The newer root which is now the default served from https://www.startssl.com/ is in Mozilla since last year and in Apple soon to come. Microsoft and Opera don't support the StartCom CA root for now.
Concerning price vs. value ratio (if IE isn't of particular concern) StartCom offers domain validated certificate for free (Class 1) and upgrade to Class 2 for a small fee for identity and organization validation each. Class 2 allows for unlimited certificates (for the subscriber) and the combining of unlimited validated domains, sub domain names and wild cards within the same certificate or in different certificates.
Well, the description of your history is correct in that, that when Cacert wanted inclusion at Mozilla, all alarm bells came on...So far so good.
But the Mozilla CA policy exists in some form since beginning of 2005 at the web site of Frank Hecker (President of the Mozilla Foundation). That was about when StartCom started its own authority. Since then many CAs were included and processed at Mozilla (See history), based on that policy, the very same policy which was eventually approved my Mozilla.
Therefore what I meant is, that already for over two years, Cacert could have been included - the very same way StartCom was. More than that, the Mozilla policy was created and defined in a way, which made it possible for Cacert and StartCom to comply.
However, I think that there are some real problems with community projects in order to have them comply even to the most basic requirements of CAs. This is one of the reasons, why I personally don't believe in the current structure of Cacert to be ever successful - even if it's a nice idea.
Since the free Class 1 certificates at Startcom are email validated only, it could be in theory possible to write an extension (for Thunderbird) or plugin (for the rest), which would send a prepared certificate request to the CA and upon receiving of the verification key for this client certificate also install it. Guess this could be made very user friendly indeed, without the need to go through the web site wizard as currently. That could be a good idea and might make S/MIME certs much more popular;-)
Since Mozilla is an open organization where the community has a lot to say, some members raised valid points against such an inclusion. At the end of the discussion which followed, Mozilla did the right thing and developed its own CA policy. Any CA adhering to this policy can be potentially included into Mozilla software as StartCom has done it.
...and promised CACert would be added. That was three years ago...
This is, because they didn't comply to the Mozilla policy. There was no such promise, but essentially made it in theory possible for them to be able to comply to the said policy. However one of the things Mozilla didn't recognized back then is, that there are real problems in an open, community only structure.
Free is not a criteria of certification authorities! This is what many supporters of Cacert don't understand...
The real issue with a CA isn't about some source code for the issuing of certificates. There are many open source solutions for that like OpenCA and others. The issue is about policies and practices, how the organization performs and who takes responsibility. Much more to add here...
Should this community be related to the Mozilla Foundation and comply, since day one, with the requirements to get a root certificate in Firefox?
Mozilla has an open policy. The problem is not Mozilla, but as in your suggestion Cacert, which in four years time failed to comply to the policy of Mozilla.
However there are essential problems running a CA by volunteers - which one of the reasons why there isn't any such volunteer CA supported by major software vendors.
Wikipedia removed anything related about StartCom from it. They declared war on StartCom for whatever reasons, most likely there is a connection between CentOS/Cacert (and the wikipedia admins) and StartCom. StartCom produces amongst others a Linux distribution, but also runs the Free SSL Certification Authority.
What do you mean by free e-mail cert program? StartCom provides free S/MIME certificates and is also progressing to run a Web of Trust system.
Running a certification authority has many, many responsibilities. Since open source and community related structures are handled most of the times by volunteers, such a CA is almost not possible. There are things at a CA which can't wait for some volunteer having the mood to do it. CA policies don't allow much playroom, but requires strict adherence to it.
StartSSL of StartCom is the closest it can get what pricing and openness concerns.
Slashdot Mirror
Obviously such attacks are possible because of the application security, renegotiation just makes it easier. BTW, here is a tool to check if your server is vulnerable to renegotiation attacks: https://www.ssllabs.com/ssldb/
BTW, clients (e.g. browsers) are pretty save - there is NO need to panic!!
Well, in our solar system at least one planet is spinning the other way around: http://wiki.answers.com/Q/Why_does_venus_spin_the_other_way It's not quite the same like orbiting into the opposite direction, but the Venus apparently received a nudge or two as well in order to spin the other way around. Such accidents appear to happen.
...Firefox to view this web site.
Correction, no single-point-of-failure problem. Retracting this statement.
Correct, specific plans exist for various scenarios. Concerning the web-of-trust, there are some inherent problems without a unifying institutional body. See, security has some clear rules which are easier to enforce in a corporate environment. Specially if you work at StartCom ;-)
And yes, I heard about "Perspectives", so it might have currently a single-point-of-failure problem. Personally I don't believe that it should provide a means for self-signed certificates. It might however provide a good additional layer to existing efforts.
I'm quite pleased to receive a A- :-)
The reason for not disclosing anything before is perhaps quite easy to understand. Minor events are logged in the ongoing events logs and no further actions are required. Events in the magnitude of issuing a certificate wrongfully due to a bug and which requires modifications to the systems, require detailed reporting (as seen in the "critical event report"). Those reports were reviewed in time by relevant parties and will be presented to the auditors during auditing. A major event like a CA key compromise (we don't sign directly from the root) would have to be made public and handled according to the "disaster recovery guidelines". In such an event, all software vendors, subscribers and the general public must be informed immediately.
The event which happened recently wasn't a major event, but obviously important enough to act accordingly and issue the critical event report. Important to note that no third party could have relied on and have taken damage. Therefore the resolution was appropriate. The disclosure was done in order to prevent any rumors and false accusations about what did and what not happened (once it was published by Mike).
There was huge difference between the recent events and how they were handled. Full Disclosure.
That's because your company distributed their root or server certificate with the active directory or domain controller. Chrome currently relies on the windows cert store so does IE obviously. Not so Mozilla Firefox and hence the error.
Except you use a CA which doesn't use user names and passwords ;-)
The most likely cause is, that your installation isn't complete and the CA chain sent out by your server is missing something. Check the FAQ page and/or installation instructions for more information.
It's the validation which expires after 30 days, not the certificates. StartSSL implements a two stage process for validating attributes like domains, email, identity and organizations and for actually creating and issuing certificates. All certificates of StartCom are valid for one year including the free ones (Class 1).
Opera never shipped the Cacert root at any time nor does it now. Never ever!
That's pure nonsense. No CA ever paid a dime to the Mozilla Foundation or Mozilla Corporation (as opposed to the days of Netscape). Poke around http://groups.google.com/group/mozilla.dev.tech.crypto/topics to get a clue about how Mozilla handles inclusion of CAs.
It's not just there, it has to be verified or it's not there. When visiting mozilla.org which has a certificate from a legitimate CA issued to mozilla.org AND Mozilla Foundation than you can be pretty sure that this IS the site of Mozilla and nothing else.
You might even want to give them money (and/or provide your credit card or whatever) but ONLY if they are really Mozilla and not some fake site taking your details, right!? That's why identity validation isn't just there, it's there when it's verified (usually)!
Now, you know the site of Mozilla, but what about a site you never visited but still want to provide your details and/or make a purchase? Then you probably prefer to know who they are before doing so...and some known authority confirming that they are who they claim to be.
You have no clue!
Look at this next time your contract expires, concerning at least for your internal sites: https://www.startssl.com/?app=5
StartCom has currently two CA root and the older one has been around for a while already. Speaking about the older one, Mozilla, Apple and KDE (most likely some others) ship them. The newer root which is now the default served from https://www.startssl.com/ is in Mozilla since last year and in Apple soon to come. Microsoft and Opera don't support the StartCom CA root for now. Concerning price vs. value ratio (if IE isn't of particular concern) StartCom offers domain validated certificate for free (Class 1) and upgrade to Class 2 for a small fee for identity and organization validation each. Class 2 allows for unlimited certificates (for the subscriber) and the combining of unlimited validated domains, sub domain names and wild cards within the same certificate or in different certificates.
Well, the description of your history is correct in that, that when Cacert wanted inclusion at Mozilla, all alarm bells came on...So far so good.
But the Mozilla CA policy exists in some form since beginning of 2005 at the web site of Frank Hecker (President of the Mozilla Foundation). That was about when StartCom started its own authority. Since then many CAs were included and processed at Mozilla (See history), based on that policy, the very same policy which was eventually approved my Mozilla.
Therefore what I meant is, that already for over two years, Cacert could have been included - the very same way StartCom was. More than that, the Mozilla policy was created and defined in a way, which made it possible for Cacert and StartCom to comply.
However, I think that there are some real problems with community projects in order to have them comply even to the most basic requirements of CAs. This is one of the reasons, why I personally don't believe in the current structure of Cacert to be ever successful - even if it's a nice idea.
Since the free Class 1 certificates at Startcom are email validated only, it could be in theory possible to write an extension (for Thunderbird) or plugin (for the rest), which would send a prepared certificate request to the CA and upon receiving of the verification key for this client certificate also install it. Guess this could be made very user friendly indeed, without the need to go through the web site wizard as currently. That could be a good idea and might make S/MIME certs much more popular ;-)
Since Mozilla is an open organization where the community has a lot to say, some members raised valid points against such an inclusion. At the end of the discussion which followed, Mozilla did the right thing and developed its own CA policy. Any CA adhering to this policy can be potentially included into Mozilla software as StartCom has done it.
CAcert will NOT be in Mozilla at any time soon! At least not until they comply to the Mozilla CA policy. Try StartCom instead.
...and promised CACert would be added. That was three years ago...
This is, because they didn't comply to the Mozilla policy. There was no such promise, but essentially made it in theory possible for them to be able to comply to the said policy. However one of the things Mozilla didn't recognized back then is, that there are real problems in an open, community only structure.
Free is not a criteria of certification authorities! This is what many supporters of Cacert don't understand...
The real issue with a CA isn't about some source code for the issuing of certificates. There are many open source solutions for that like OpenCA and others. The issue is about policies and practices, how the organization performs and who takes responsibility. Much more to add here...
Should this community be related to the Mozilla Foundation and comply, since day one, with the requirements to get a root certificate in Firefox?
Mozilla has an open policy. The problem is not Mozilla, but as in your suggestion Cacert, which in four years time failed to comply to the policy of Mozilla.
However there are essential problems running a CA by volunteers - which one of the reasons why there isn't any such volunteer CA supported by major software vendors.
Wikipedia removed anything related about StartCom from it. They declared war on StartCom for whatever reasons, most likely there is a connection between CentOS/Cacert (and the wikipedia admins) and StartCom. StartCom produces amongst others a Linux distribution, but also runs the Free SSL Certification Authority.
What do you mean by free e-mail cert program? StartCom provides free S/MIME certificates and is also progressing to run a Web of Trust system.
Running a certification authority has many, many responsibilities. Since open source and community related structures are handled most of the times by volunteers, such a CA is almost not possible. There are things at a CA which can't wait for some volunteer having the mood to do it. CA policies don't allow much playroom, but requires strict adherence to it.
StartSSL of StartCom is the closest it can get what pricing and openness concerns.