1078764 - new CA certificates shouldn't be added/trusted without asking the user

Status: RESOLVED WONTFIX

(Core :: Security, defect)

Description

[Christoph Anton Mitterer]

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0 Iceweasel/32.0.3
Build ID: 20140925082140

Steps to reproduce:

I guess we all know that the strict hierarchical trust model as imposed by X.509 is inherently broken and even with lousy hacks as "HTTPS Everywhere" (which kinda reminds me to the distributed /etc/hosts in the early days of the ARPANET) it will never going to be secure.

But since the involved parties and decision makers (including Mozilla) rather go for money and to keep a broken insecure system alive in order to not make the end users unhappy - we have to live with it (well at least until it fully breaks).


Now,... as a matter of fact, Mozilla includes certificates galore of which many are very well known to be not trustworthy (which again shows, that it just goes after money and not security and/or freedom of users).
This has many reasons:
- fully governmental controlled CAs from totalitarian states (like the CNNIC stuff)
- fully governmental controlled CAs from autocratic states which are known for trying to spy at least all their own people (like TURKTRUST stuff)
- CAs which are known to have intentionally issued forged certificates before (wasn't that again TURKTRUST?)
- CAs which are known to be to incompetent to actually run a CA, and which have "accidentally" issued such forged certificates
- CAs which are simply too small which makes it more likely that they don't have the resources to securely run a CA.


Several bugs in which users asked Mozilla to at least remove the most untrustworthy of these CAs have been ignored/rejected by Mozilla for obscure reasons (I guess the main reason is again money).


Since this behaviour is unlikely to change, users should be given the control to decide about their certificates.
Now of course they already have (to a certain degree) in that they can go through the list of CAs an distrust whatever they want.

But the problem is that Mozilla adds/removes CA certificates with every release and the user neither sees what is added nor what is removed.

Therefore:
A system should be added, that presents the users which certificates Mozilla would like to add in each new release and the users should need to explicitly enable each of them separately until they really get trusted.
Such dialogue should re-appear until the user has done so (just to avoid "accidents" where the browser has crashed or so).

Ideally there would be also a dialogue, which shows the removed certificates (and why they were removed) and the option for the user to reject single removals if he likes to.


This should be implemented in all the Mozilla products (FF, TB, SM, etc.)

Comment 1

[Christoph Anton Mitterer]

Wow,... rejection without even given a reason ^^

I guess the reasons is probably that for Mozilla it's far more easy to silently inject (at best) questionable CAs from totalitarian regimes into users’ systems than to give them a real choice.

Comment 2

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

This is not a feature that would be relevant or meaningful to the vast majority of users. Users who do want this kind of control can manually review the list of CAs in the certificate manager.