Root CA certs owned by ISPs may be harmful to users of those ISPs' services

RESOLVED WONTFIX

Status

RESOLVED WONTFIX
11 years ago
a year ago

People

(Reporter: nathalie.heimer, Assigned: hecker)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13

Firefox contains a "Swisscom Root CA" certificate as a "Builtin Object Token".

However Swisscom (the main, ex-monopolist telephone company in Switzerland) is an ISP, and therefore certificates from them should not be installed in browsers by default.

There is no information about the company abusing the double role of ISP and CA to snoop or hijack web traffic of customers. There is inofficial information however that the company is abusing its power as CA by operating a man-in-the-middle HTTPS proxy which intercepts HTTPS connections from the company's employees, reportedly with the justification of removing malware.

The problem with this is that if the above information is true, any single person with (authorized or unauthorized) access to both any PC within Swisscom and to the company's router configuration files has the power to hijack HTTPS traffic of the company's customers without them noticing.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Actual Results:  
-

Expected Results:  
-

-
Assignee: nobody → kengert
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
Version: unspecified → Trunk
Assignee: kengert → hecker
Component: Security: PSM → CA Certificates
Product: Core → mozilla.org
QA Contact: psm → ca-certificates
Version: Trunk → other
This is hardly a new issue. 
See also root certs for 

- America Online Inc
- AOL Time Warner Inc
Summary: Firefox contains a possibly harmful certificate as a Builtin Object Token → Root CA certs owned by ISPs may be harmful to users of those ISPs' services

Comment 3

10 years ago
Its been a long time since progress, is this still a problem?

Comment 4

10 years ago
I think some evidence or testimonial should be provided on this issue. If the CA issues knowingly certificates without going through their proper procedures, than they wouldn't conform to the Mozilla CA Policy and can be removed. However I highly doubt that claim, because most likely they are using a different root which is trusted internally in order to perform their MITMs. For Firefox browsers this shouldn't work since FF uses its own certificate store and not that of the system.

Discussion on this issue should be held at the mozilla.dev.security.policy mailing list.

Updated

8 years ago

Comment 5

4 years ago
IF easier for users to filter then delete expired certificates, or certificates no longer wish retain, might this reduce problems or create more as users added more ?

Comment 6

2 years ago
I don't see an open action item for this bug, so closing as wontfix.

If needed, please open a discussion about this in the mozilla.dev.security.policy forum.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX

Updated

a year ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.