Closed
Bug 294730
Opened 19 years ago
Closed 8 years ago
Potential man in the middle attack by verisign and browser will never warn about it.
Categories
(Core :: Security: PSM, enhancement)
Core
Security: PSM
Tracking
()
RESOLVED
INVALID
People
(Reporter: duane, Assigned: dveditz)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050516 Firefox/1.0+ Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b2) Gecko/20050516 Firefox/1.0+ Due to Verisign having control of both DNS and the inclusion of their root certificate in all browsers they effectively could main in the middle a large section of the internet by redirecting DNS to a proxy server and then issuing a replacement SSL certificate, and the browser would never warn that anything suspecious was occuring. This is both a huge conflict of interest and a grave concern, especially in light of some other business ventures Verisign has under it's belt being one of the largest companies offering wire tap services to US government bodies, and any other country that can afford to pay for the services. Reproducible: Always Expected Results: No traffic carried over SSL/TLS via any browser can be trusted to be secure. To further this any browser claiming that your internet traffic is secure is potentially facing a lawsuit due to misleading their customers.
Updated•19 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Comment 1•19 years ago
|
||
I was reading one of the Mozilla newsgroups and now I wonder why has this been resolved "INVALID" without a valid statement from any of the mozilla.org members, why is that? I can only guess that it was 'wtchang@redhat.com' because he is the 'component owner'?
Updated•19 years ago
|
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
Updated•19 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 2•19 years ago
|
||
(In reply to comment #1) > I can only guess that it was 'wtchang@redhat.com' No need to guess. If you are using Mozilla Suite you can enable the Navigation Toolbar via View->Show/Hide and from there More->Show->Bug Activity Or use the link below: https://bugzilla.mozilla.org/show_activity.cgi?id=294730
Comment 3•19 years ago
|
||
The way to fix this is an (optional) popup window notifying you of changes to a certificate since the last time you visited this website. This alert box should show some details about the old certificate and the new one.
(In reply to comment #3) > The way to fix this is an (optional) popup window notifying you of changes to a > certificate since the last time you visited this website. This alert box should > show some details about the old certificate and the new one. I'd settle for one of those warning bar things across the top... Less annoying and likely to stay up longer etc... Also after a long debate on the newsgroup the consensus was to have it turned off by default, like OCSP currently is...
Updated•19 years ago
|
QA Contact: bishakhabanerjee → jason.m.reid
Comment 5•19 years ago
|
||
This is not an NSS issue. It is a PSM issue. So, I am moving this bug to PSM. It asks that mozilla adopt a new security model regarding trusted CAs, a model in which CAs are no longer trusted. For mozilla to adopt such a different model requires a policy decision, and that decision would apply to the mozilla browser products, and not to all products that use NSS.
Assignee: wtchang → kaie
Component: Libraries → Security: PSM
Product: NSS → Core
QA Contact: jason.m.reid
Version: unspecified → Trunk
(In reply to comment #5) > It asks that mozilla adopt a new security model regarding trusted CAs, > a model in which CAs are no longer trusted. I'm not saying that they aren't trusted, I'm just after a warning if things change, this could be because of an attack not just CAs. > For mozilla to adopt such a different model requires a policy decision, > and that decision would apply to the mozilla browser products, and not > to all products that use NSS. Applies as much to email as it does to browsing, after all if you can't prove emails aren't being intercepted in the same manner...
Comment 7•19 years ago
|
||
So you are suggesting to have a cache on the end user's computer for all the server certificates that you encounter, and whenever you connect to a secure site, a comparison of the current with the cached certificate should be made. You want to be warned of any differences. As a consequence you'll also be warned when a web site simply has changed their certificate for whatever reason. You would be unable to decide, whether the change is a man-in-the-middle-attack or not, or whether it's simply a new cert. You'd only be certain about experiencing a man-in-middle situation when you suddenly saw warnings for many secure sites. And you also would be unable to detect the man-in-the-middle situation when connections to a site have always been rerouted already, because you always got the same cert.
Assignee: kaie → nobody
(In reply to comment #7) > As a consequence you'll also be warned when a web site simply has changed their > certificate for whatever reason. You would be unable to decide, whether the > change is a man-in-the-middle-attack or not, or whether it's simply a new cert. As things stand at present the browser denies me the ability to make such statements easily. > You'd only be certain about experiencing a man-in-middle situation when you > suddenly saw warnings for many secure sites. As things stand at present the browser denies me the ability to make such statements easily. > And you also would be unable to detect the man-in-the-middle situation when > connections to a site have always been rerouted already, because you always got > the same cert. Actually this is debatable, for most situations it's unlikely to have a constant man in the middle attack these are expensive to operate indeffinately, and would eventually know something was up.
Comment 9•19 years ago
|
||
This should be resolved invalid--it's not a browser bug. It's inescapable that "trusted" entities might in fact turn out to be untrustworthy if the stakes are high enough. I can't imagine Verisign doing something like that casually. They are a for-profit company in pursuit of the almighty dollar like everyone else, and their particular strategy is convincing corporate users that Verisign certificates are somehow more secure than other certs that cost a tenth as much. If it came out that they had spoofed a certificate, even under a law enforcement or national security order (i.e. the spoofing was part of an FBI investigation of some site), that would be tremendously damaging to their future sales. I can think of some hacks that paranoid server operators could do to thwart this kind of attack, based on using multiple IP addresses dynamically bound to subdomains. People really concerned about it can probably think of similar hacks.
Updated•17 years ago
|
QA Contact: psm
New technologies are being developed to address this. There's key pinning, CAA, certificate transparency, etc.. I don't think we need to keep this bug open.
Status: NEW → RESOLVED
Closed: 19 years ago → 8 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•