[conspire] Critical browser-cerificate problem

Paul Zander paulz at ieee.org
Thu Mar 31 09:24:16 PDT 2011

Speaking of certificates, the following was sent by the company's IT department.  In addition to the problems in the original posting, certificates can cause false failures.

Java client users may have noticed a security warning when launching the application.  This simply indicates that Oracle’s certificate has expired.  Please check the box that indicates: Always trust applications from Oracle to avoid receiving this warning.

Oracle knows about this problem and has it classified as a class 3 bug.  Class 3 means they don’t think it is very important and given their position on support for the Java client I don’t expect a fix from them anytime soon.  We will continue to monitor their progress and if they do provide a fix, we will install it as soon as possible.

--- On Wed, 3/23/11, Rick Moen <rick at linuxmafia.com> wrote:

From: Rick Moen <rick at linuxmafia.com>
Subject: [conspire] Critical browser-cerificate problem
To: conspire at linuxmafia.com
Date: Wednesday, March 23, 2011, 2:37 PM

Here's a long but fascinating story, the bottom line of which 
is that (1) you need to fix your Web browsers immediately so
they will not blithely accept fraudulent SSL certificates for
important Web sites as valid, and (2) it illustrates why the 
whole 'trust this site certificate because it's signed by the good guys' 
model is snake-oil, and always has been.

(The latter point is not news to those who've been paying attention.
For more, see the relevant chapter in Bruce Schneier's layman-level book
on security, _Beyond Fear_.)


There are Firefox / Seamonkey / etc. updates out.

One of the impersonated Web sites is addons.mozilla.org .  Those who
either attended my Firefox talk at SVLUG, or read my article on the
subject, will remember my stressing reasons why you should _avoid_
trusting sites like addons.mozilla.org and always if humanly possible
favour distro-mediated software distribution channels over upstream
sources.  The current security meltdown is yet another example of why.

In general, given that Web browsers are stuck using the 'trust it; it's
signed' crypto model, there needs to be a _lot_ more scrutiny of
certificate authorities whose root keys are bundled into browsers, and
also (as the above page stresses) all browsers should hard-fail on
certificate revocation errors.  Linux distro package maintainers are the
most likely places for this to happen.

conspire mailing list
conspire at linuxmafia.com

More information about the conspire mailing list