726003 - Firefox Does not Honor Certificate Pinning Under All Circumstances

Status: RESOLVED INVALID

(Firefox :: Untriaged, defect)

Description

[Jeffrey Walton]

User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C)

Steps to reproduce:

Trustwave, [formerly?] an included CA, engaged in willful misconduct by allowing subversion of the PKI system. [1] The expected response from security minded folks should be to pin known certifcates so that Trustwave cannot engage in the decpetive business practices. Unfortunately, it appears Firefox disregards the request to pin a certifcate under some circumstances, which helps a bad actor carry out his/her attacks against users. [2]

[1] https://www.computerworld.com/s/article/9224082/Trustwave_admits_issuing_man_in_the_middle_digital_certificate_Mozilla_debates_punishment
[2] http://ssl.entrust.net/blog/?p=615


Actual results:

Users suffered another Man in the Middle attack from bad actors.


Expected results:

Firefox should have been configured securely out of the box, so that those who want insecure behavior must explicitly perform an action to do so. Firefox's choice to silently place all users at risk is questionable.

Additionally, Mozilla's desire to accommodate CAs appears to be clouding its judgment in light of the fact that not all CAs can be trusted. Until such time that all CAs are trustworthy (in practice), Mozilla should treat all CAs with suspicion and expect that any number of CAs are colluding with government and other bad actors to harm its users.

This is security related, but transparency is not desired. Awareness, and a fix, is desired.

Comment 1

[Jeffrey Walton]

No reason to keep it open...