[ale] Firefox-3 and authorizing home-made certs

Daniel Kahn Gillmor dkg at fifthhorseman.net
Tue Jul 8 18:42:42 EDT 2008


On Tue 2008-07-08 17:27:39 -0400, Chris Fowler wrote:

> FF3's certificate warnings are scary compared to FF2.  What we have done 
> is started the process of getting a valid certificate for a server.  

Bah.  All well-formed certificates are *valid*.  What you've done is
agreed to pay some money to a middleman certificate broker who has
managed to get their Certificate Authority's credentials "trusted" by
default in the major browsers.  Many of these CAs can't even seem to
publish a reasonable CRL (let alone use OCSP) to properly revoke
certificates.  Given the recent debian OpenSSL debacle, these
middleman CAs should have *overflowing* CRLs, but most of them haven't
seemed to have done anything of the kind.

For most purposes (and especially for in-house purposes), these
"official CAs" are actually *less* trustworthy than a CA run by your
own group's administrators.  Check out the TinyCA [0] packages to see
how simple that can be.  You can set it up on an old laptop, keep it
off-net, and transfer data to and from it via USB if you want to keep
the mechanism of the CA itself isolated.

The whole X.509 architecture is at fault here really [1], but the
recent FF3 changes have made it much worse.

If you have an inhouse CA, and you control the user's browsers (e.g. a
lab environment or mid-size corp), you use the NSS certificate
database tools to automatically "trust" the in-house CA for most users
with a simple command like:

 certutil -A -d ~/.mozilla/firefox/default.*/ -n 'in-house CA' -t C,, </path/to/inhouse-CA-certificate.pem

Then future firefox sessions for that user (using the "default"
profile) should have no problem accessing sites that use a certificate
signed by the in-house CA.

Unfortunately, this needs to be done for every user, and it needs to
happen *after* their default profile is created.  I haven't yet
figured out how to make this a default upon profile creation either.
If anyone else has pointers on how to do something like this at
profile creation time, i'd love to hear about it.

Your grumpy TLS troll,

        --dkg

[0] http://packages.debian.org/tinyca
[1] http://lair.fifthhorseman.net/~dkg/tls-centralization
[2] http://packages.debian.org/libnss3-tools
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
Url : http://mail.ale.org/pipermail/ale/attachments/20080708/db6d6bc2/attachment.bin 


More information about the Ale mailing list