back to article Lazy sysadmins rooted in looming Mozilla cert wipeout

Mozilla is about to revoke some weak X.509 PKI certs, and has warned sysadmins that it will affect the Firefox browser and they'll need to assess their infrastructure. The four affected root certificates from Entrust and ValiCert are marked for removal because they contained weak keys. A further seven from CyberTrust, Thawte …

  1. Anonymous Coward
    Anonymous Coward

    what I'd like to see

    Is the transcripts of Mozilla's conversations with these CA's.

    1. kaie

      Re: what I'd like to see

      Check the archives of Mozilla's dev-security-policy mailing list, where all actions are discussed according to the Mozilla CA policy.

      http://www.mail-archive.com/dev-security-policy@lists.mozilla.org/

      https://lists.mozilla.org/listinfo/dev-security-policy

      https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/

      Check the "bugs" in the "CA Certificates" in the bugzilla.mozilla.org system, where all interaction with CAs is publicly tracked, e.g. a search for "1024" within that component:

      https://bugzilla.mozilla.org/buglist.cgi?list_id=11029197&short_desc=1024&query_format=advanced&short_desc_type=allwordssubstr&component=CA%20Certificates

  2. Jay Zelos

    Considering Geotrust are still using the 1024 root CA that's listed on that blog for the EV certs I'm a bit puzzled, especially as they gave notice a year ago they were going to drop it in favour of a new 2048 bit CA.

    1. Jay Zelos

      Just checked and it look likes Geotrust have another intermediate that goes to a 2048 bit CA, hopefully that's on all devices and they just need to update their help pages.

  3. garetht t

    Lazy journos root sysadmins

    "Admins could run the command '$ openssl s_client -showcerts -connect kuix.de:443' to assess if their infrastructure depended on the affected certificates"

    The command given is just an example. Running that command will show you what certs kuix.de:443 is using, not your own site.

    The original article phrases it better: "For example, you could try to use a command like this[...]"

    It's a fine distinction, but I would hold el reg to higher techy standards than a broadsheet rag.

  4. Alister

    I've just queried this with both Mozilla and Entrust - as we have a large number of sites with Entrust SSL certs.

    Just to clarify, Mozilla are removing the 1024bit root and intermediate certificates, and therefore any certs with those in the key chain will fail.

    However, any SSL cert bought within the last 18 months (from Entrust at least) uses the 2048bit root and intermediate certificate chain, and these will not be affected.

  5. streaky

    PKI..

    What I'd like to see - not just from Moz - is a discussion about why there are so many root certs included in the first place, a discussion and documentation of why each one is in there and information about who precisely some of these root authorities are.

    Only then can people make educated decisions about the security of PKI and the removal of certain root certs from their browser. Most of them seem to be distributed for historical reasons and nobody cared about these companies - rogue cert authorities with lax security (physical and technical) can easily start quietly distributing certs for your bank or software drivers that can insert themselves into the kernel on windows boxes.

    1. Anonymous Coward
      Anonymous Coward

      Re: PKI..

      I'd like to scrap the whole CA infrastructure. It's no more trustworthy than self-signed certs; probably worse.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like