untrust bluecoat CA
Apparently BlueCoat now has a signed CA. Can we please make sure it's not trusted in the Tor Browser?
Activity
Changing severity to reflect the impact that having BlueCoat as a trusted intermediary would have on end-users. It would not surprise me if BlueCoat's move were a way to quietly support one of the many countries experimenting with national SSL/TLS certificates. It's an excellent way to silently mitm, I'll give them that much.
Trac:
Priority: Medium to Very High
Severity: Normal to Major
Cc: N/A to saintChanging severity to reflect the impact that having BlueCoat as a trusted intermediary would have on end-users. It would not surprise me if BlueCoat's move were a way to quietly support one of the many countries experimenting with national SSL/TLS certificates. It's an excellent way to silently mitm, I'll give them that much.If this was part of some evil plan, wouldn't they have gotten an intermediate CA that can create more CAs (the pathlen in their cert is
0so it can only sign leafs). What are they gonna do, distribute the CA private key in every single one of their shit boxes?*.google.comMITM certs as a service? What?We've so far avoided from getting into the "which CAs are evil" game, despite people complaining (for good reason), about CAs being run by actual nation states...
See: https://bugzilla.mozilla.org/show_bug.cgi?id=1276146 for the upstream bug. We should closely follow it and take Mozilla's reasoning into account. I am still not convinced we should go into the "which CA is evil" business and agree with comment:2.
FYI, Google has apparently already distrusted Symantec because of not compiling with CA/B Forum baseline requirements: https://security.googleblog.com/2015/12/proactive-measures-in-digital.html
The Department of Defense has a CA. South Korean government has a CA. China has a CA. Why are we trusting them? Though admittedly the DoD PKI is not trusted by Firefox, even if it is in the Windows trust store. The CA system itself is broken. It's not up to us to fix it by blacklisting authorities we dislike.
The point is that I agree with Yawning and gk. We shouldn't get into the "which CAs are evil" game.
I think this ticket should be closed, myself.
Trac:
Severity: Major to Normal
Priority: Very High to MediumReplying to gk:
See: https://bugzilla.mozilla.org/show_bug.cgi?id=1276146 for the upstream bug. We should closely follow it and take Mozilla's reasoning into account. I am still not convinced we should go into the "which CA is evil" business and agree with comment:2. Upstream bug was fixed. Next step? "which CA is evil" - start to update root certificates according to Firefox release?
Trac:
Status: new to needs_information-
Replying to cypherpunks:
Replying to gk:
See: https://bugzilla.mozilla.org/show_bug.cgi?id=1276146 for the upstream bug. We should closely follow it and take Mozilla's reasoning into account. I am still not convinced we should go into the "which CA is evil" business and agree with comment:2. Upstream bug was fixed. Next step? "which CA is evil" - start to update root certificates according to Firefox release?
Next step is moving to Firefox ESR 52 which is planned for the next alpha (i.e. 7.0a3).
Trac:
Keywords: N/A deleted, ff52-esr-will-have added
Status: needs_information to assigned 
Trac:
Username: tokotoko
Cc: saint to saint, fdsfgs@krutt.org