User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:22.214.171.124) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:126.96.36.199) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729) this is a security vulnerability Reproducible: Always
No, it's not. Wells Fargo's CA has passed all required parts of the Mozilla CA inclusion policy (and you'll note that Microsoft, Apple, and Google also support this root). They pass the same audits and conformance checks as other CAs. If there is a specific issue with their root or their certificate issuance policies, please cite them. See bug 342996 where this was requested and approval granted. See also http://www.mozilla.org/projects/security/certs/policy/ for details on Mozilla's root inclusion policy.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
Looked at bug 342996, marking verified.
Status: RESOLVED → VERIFIED
Assignee: nobody → kathleen95014
Component: Security → CA Certificates
Product: Firefox → mozilla.org
QA Contact: firefox → ca-certificates
Version: unspecified → other
Thank you for your reply. I did not notice that MS/Apple/Google accept their cert as well. Thanks for pointing that out, I will pursue this matter with them as well. Can you please detail your CA inclusion policy? What kind of checks are required to allow a root CA into Firefox? Furthermore, what criteria do you use to determine what CA's are allowed and what CA's are not allowed? Thanks in advance for taking part in this discussion. I believe very passionately that this is a vulnerability and will point out exactly how in further comment posts.
For information about the decision to include Wells Fargo's root, see https://bugzilla.mozilla.org/show_bug.cgi?id=428390#c13
Chris, you claim to have rationale explaining why this is an issue, can you share this, or clarify somehow?
Last year at BlackHat, Moxie Marlinspike turned SSL into a piece of swiss cheese. His demonstrated attack of this failing protocol had me so spooked that when I left his session, it I was scared to connect to my companies VPN at the time and I worked for iSEC Partners! Soon I understood the fundamentals of our HMAC key and learned how and why a pre-shared private key being sent as the first bit of traffic was the only thing preventing our VPN from the type of attack demonstrated. I am currently doing security work for one of the top software companies in the world, and they might well be awarded the P0wnie for Mass 0wnage in 2010 - what I have seen is very scary and there has been no disclosure to date. If this can happen in front of my eyes and nobody knows about it, I'm scared to think about what has happened to Wells, Google, Adobe, etc. CA's are dead. SSL is dead. All a certificate proves is that someone had $900. It doesn't state anything about their integrity and commitment to responsible disclosure in the event you are comprimised. If Wells can pass your requirements for what is deemed to be an acceptable CA, I kindly request that you re-review your requirements. In particular, how can you account for a company that has had their PKI infrastructure exposed and will not disclose this to the public? The integrity of your software lies within whom you trust to be valid. Things have changed recently, and it's time for Mozilla to keep up with the pace. Reach out, be a leader, I love your software and you have an opportunity to do something special. Kind Regards, Chris Dean
Several of us were in the room when Moxie gave his talk - it was good research. It was not the end of SSL. The rest of this is handwaving and "take my word for it." It's clear you consider it important, but I'm afraid that's not how we make decisions here. Please let us know when you have some information to share.
You need to log in before you can comment on or make changes to this bug.