-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 03/14/14 07:18, Hanno Böck wrote: > However, I'd really like to stress again that I'd find it a very > worrying signal if this issue will stay unfixed for three more > major firefox versions to come. I'm pretty sure if at some point we > want to get real certificate validation again and advocate for > widespread enabling of OCSP stapling this issue will hit us and > prevent adoption.
Here's my take on the situation: OCSP stapling is a way for a site operator to opt in to an enhanced security situation. By enabling it, they're saying, "I want to increase the assurance that my users are communicating with this site over a secure channel that no one is eavesdropping on or tampering with". However, when a site operator instructs users to add an exception, this causes a decreased security situation. This is because a man-in-the-middle attacker can simply present any certificate whatsoever and users will click through to add an exception. At that point, there is no expectation of security. The question is, what's the right thing for Firefox to do? Does it take OCSP stapling as an indication that it should be more strict and secure? Or does it allow certificate exceptions that leave users open to attack? I don't know the right answer to this, but luckily there's a way to have our cake and eat it too. As far as I can tell, the underlying issue is that the CA that issued the certificate you're expecting users to add an exception for is not in Mozilla's root certificate program. Until it is, all your users (should) need to do is download the CA certificate and import it by going to Preferences -> Advanced - -> Certificates -> View Certificates -> Authorities and clicking "Import..." (After that, they may have to find it in the list of authorities, select it, click "Edit Trust..." and make sure the "This certificate can identify websites" box is checked.) If this doesn't work, please file a bug. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTIzRSAAoJEJBTbq/bQjV9EW0P/0SZLDuIzDGlsT1adsHj3yis ycB/nVMP/bJGzo7w9CgNd8EnSnGPax5BrwBq8YZhGwVQLkRkyL6Q61RvQfDz2NqT Mi/8Pfs771N+MFflv/r2h8mLjeV2CEssc+SmnmfiUk+YD76le9XhlTO75wipnX6m Ltco4947auS5oRE5Ohcy2HYTgaXHCiOw0DiR33E4Q9HLF3/OhQYWyeJGN5mz59vJ 5AvFi4Jl/dSXpdB0bs++PxnY5UutDCqHI0McFN57A0Hc2WLWCkOsq1T/a21wMWb8 bEkS+Zh2kTo9WBNIVjVA/oVPJrNVy9w3FNLlwrmAsyUxBcIcPZ9QjZtp/cykHEnC dmi6YPvzttvdy5WjM/wJKaprSCdkPw49pbt2i7wqkCTKaeT3O1iR9cOsg1RD42dO 7S/Bis+GsLJm5vUsE1dyU6owUI0grudqnkukH6b5dYSGXCHHnn4QfcR6TlKexjnw 6aKvBtYga463tyqJDnB3x9CtooGgzdqGREpg5o95RJ7dnBuZVW7tiCMRLGlJC7UF HiiAi80s/Qy6DVXsgf96YkJ+AW7ACgfmbTyqy71+6DaC6BD2xSV4aa6pW3Fkb0h9 hy1OwD/vkZ15Qaw97I09rqrR4yM6H5KPszSBx6AjMwoFLWJ0k3T1QW0JFlKp9Mf7 xaWTjAsS+y+3cPcOyxgF =2klC -----END PGP SIGNATURE----- -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
