Jan Schejbal: > Akamai, a very big content distribution provider used by MANY > organisations including the german Finanzamt (equivalent to the IRS), > had a weak key. If I put > 127.0.0.1 a248.e.akamai.net > into my hosts file and run an apache with the broken cert (key got > published in some forums), I can use firefox 3 to connect to > https://a248.e.akamai.net (which is my local machine) without any > warnings.
I checked the certificate of the domain mentioned above and it doesn't use a weak key due to the Debian bug. However it does succeed perhaps because this CA doesn't operate an OCSP service (or there is no OCSP service URL in the certificate) and you haven't imported the CRL from that CA (Firefox should really fetch CRLs automatically). > The RSA blacklists for 1024 and 2048 are 12.8 MB total in > uncompressed ASCII format, Shipping NSS with another 12 MB has been ruled out so far. See https://bugzilla.mozilla.org/show_bug.cgi?id=435082 > > My suggestion: Issue a FF3 update ASAP that includes (or downloads) the > blacklists, and shows a warning if a server uses a vulnerable cert. > Consider that it is possible that stupid admins forgot to change the > certs (so the warning MAY be shown on legitimate sites), but it is also > possible that a site already using a new cert gets MitM-ed with an old > cert. A much better solution would be to fetch the CRLs by default. At least 80% of the CAs in NSS have publicly committed to get rid of the affected keys in this way or the other, all of them using OCSP responders. For the remaining CAs the situation isn't clear yet and CRLs aren't fetched automatically. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
