On 9/17/2008 4:52 PM, Eddy Nigg wrote: > On 09/18/2008 02:05 AM, David E. Ross: >> Note that this is not a unique situation. See bug #390835 at >> <https://bugzilla.mozilla.org/show_bug.cgi?id=390835>. Unfortunately, >> Internet Explorer (IE) works around this situation by searching the >> Internet for missing intermediate certificates. I consider this a >> security vulnerability in IE. However, because of IE's behavior, many >> Web server hosts ignore this problem (e.g., Canon, per bug #390835). >> > > Please note that IE isn't "searching" the Internet for missing certs, > but is using the AIA CA Issuers extension of the server certificate to > download the missing certificates. If the fetched CA certificate doesn't > chain to a CA root it will not use it. If there is no AIA extension IE > will also report an error (as with FF). > > There is absolutely no security issue at all with following the AIA CA > Issuer extension, otherwise FF could not use the same extension to find > the OCSP responder URL either. Nevertheless NSS does exactly that...uses > the OCSP URL listed in the AIA extension. > > I've been banging my head against a wall here because of this FUD and > about misinformation which is absolutely incorrect. Sad, because there > are many FF users running into it. And it doesn't help to ignore the > fact that web site admins don't install their certs correctly - it works > in IE and that's it. > > Similar tweaks and corrections were made for FF if major sites didn't > play nicely with standards in order to make FF usable. With the new > error reporting for invalid certificates, this issue should have been > solved beforehand. :-( >
Okay, I chose the wrong words. The vulnerability arises because IE enables hosts to be sloppy in how they configure their Web servers. If they won't include the required intermediate certificates, what else are they not doing properly? Is the server host machine physically secure? Are databases with personal data about customers (e.g., entered through secure Web pages) encrypted? Just slap this site certificate into the server. Don't worry about what secure Web browsing really means. -- David E. Ross <http://www.rossde.com/> Go to Mozdev at <http://www.mozdev.org/> for quick access to extensions for Firefox, Thunderbird, SeaMonkey, and other Mozilla-related applications. You can access Mozdev much more quickly than you can Mozilla Add-Ons. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
