Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Mozilla Firefox IT

Mozilla Follows Google in Losing Trust in Entrust's TLS Certificates (theregister.com) 14

Mozilla is following in Google Chrome's footsteps in officially distrusting Entrust as a root certificate authority (CA) following what it says was a protracted period of compliance failures. From a report: A little over a month ago, Google was the first to make the bold step of dropping Entrust as a CA, saying it noted a "pattern of concerning behaviors" from the company. Entrust has apologized to Google, Mozilla, and the wider web community, outlining its plans to regain the trust of browsers, but these appear to be unsatisfactory to both Google and Mozilla.

In an email shared by Mozilla's Ben Wilson on Wednesday, the root store manager said the decision wasn't taken lightly, but equally Entrust's response to Mozilla's concerns didn't inspire confidence that the situation would materially change for the better. "Mozilla previously requested that Entrust provide a detailed report on these recent incidents and their root causes, an evaluation of Entrust's recent actions in light of their previous commitments given in the aftermath of similarly serious incidents in 2020, and a proposal for how Entrust will re-establish Mozilla's and the community's trust," said Wilson.

This discussion has been archived. No new comments can be posted.

Mozilla Follows Google in Losing Trust in Entrust's TLS Certificates

Comments Filter:
  • by Pseudonymous Powers ( 4097097 ) on Thursday August 01, 2024 @09:50AM (#64672570)
    I don't do it a lot, but over the years, whenever I have viewed a list of my operating system's trusted certificate authorities, it makes me nervous. It seems to always be a bunch (maybe thirty or forty?) of random companies I've never heard of, with some of whose names tend to have indifferent or idiosyncratic formatting. I think maybe I saw an emoji in there once.
    • by KlomDark ( 6370 ) on Thursday August 01, 2024 @01:55PM (#64673300) Homepage Journal
      Heh. 20 years ago I worked for a megacorp. (Not gonna say who) Looking through those trusted authorities, I saw one owned by a division of our company! I thought that could save our division some money if we just started obtaining our certs from that division. So I started searching for someone who could put me in contract with someone from that division. After weeks, never found it, as far as we could tell that division disbanded, yet their root cert was still in all browsers. So trusting those authorities gets pretty sketchy, especially all the newer ones from sketchy countries.
    • by cusco ( 717999 ) <`moc.liamg' `ta' `ybxib.nairb'> on Thursday August 01, 2024 @05:09PM (#64673896)

      Even the ones which are well-known tend to be if-fy. I worked in physical security (key cards, cameras, alarms, that stuff) and was sent on an emergency service call to Verisign's offices in Olympia, WA. They weren't our regular customer, but their normal provider didn't have anyone available so they called us. What I found there was appalling, including one door from the building lobby that had no alarm, no access control, no camera, but went directly into their supposedly "secure" area, which people used to block open when they took a smoke break. I got their system back up and then documented what I had found in my quick look-around and handed it to the salescritters. Verisign's reply was, "We'll be moving to a different building in a year or two, we'll call you for a bid on the new place." Three years later I was back there on another service call and things were still the same. Lost any respect that I might have had for certificate authorities right there.

      • Three years later I was back there on another service call and things were still the same. Lost any respect that I might have had for certificate authorities right there.

        The only certs worth trusting are the ones you install yourself. Of course, those are the least trusted of all by your devices and the hardest to get applications to use.

        The TLS cert system has never been trustworthy. It's just the initial keying provider for most people's encryption. (Which should give people nightmares....)

  • Comment removed based on user account deletion
    • by Chris Mattern ( 191822 ) on Thursday August 01, 2024 @10:54AM (#64672794)

      "the best we can come up with is just to trust someone...."

      Just how to you propose to do things if you *don't* trust anybody at all? Even so-called "zero-trust" is just "you have to prove who you are, and then we'll trust you if you're somebody we've decided to trust."

    • by HiThere ( 15173 )

      But one time pads are so inconvenient...
      It really depends on what you mean by "best". There *are* alternatives. They're just less convenient. (One may fairly wonder why they haven't become more convenient.)

      • But one time pads are so inconvenient...
        It really depends on what you mean by "best". There *are* alternatives. They're just less convenient. (One may fairly wonder why they haven't become more convenient.)

        Because, by it's nature, a one-time pad means you have to securely deliver a key that's the same size as your data. You haven't solved the problem, you've only shifted it. Now, depending on your situation, shifting the problem to somewhere more convenient may be good enough. But a lot of the time it's

  • by dnaumov ( 453672 ) on Thursday August 01, 2024 @10:29AM (#64672702)

    ...as if this wasn't an already solved issue? Entrust already has a new partner they will temporarily offload their processes to, a partner Google and the rest have accepted, while they continue on the plan to improve their internal process that too was shown to and accepted by Google and the rest.

  • Apparently there's more than one important member of the CA/B Forum that gets to call the shots.

    • by leonbev ( 111395 )

      Oh, you mean like the one that tried to force DigiCert to invalidate 83,000 TLS certs with just 18 hours notice because they were missing a freaking underscore character in their CNAME validation DNS record? Yeah, I'd be OK if those jerks got kicked out.

      • Kicking Entrust out after four years of shenanigans but Digicert after one day?

        It appears that Digicert cowered and screwed their customers. I know of one site that's been down for three days because the staff didn't know about some complex signing chain that involved a government entity.

        Though I don't know what I don't know. For instance if Digicert ignored this warning for years and then somebody got tough.

        But I know of another place that is moving all of their DV to LetsEncrypt after this fiasco.

        There mu

        • by cusco ( 717999 )

          I haven't noticed 'competency' being a core value in the executive suites for the last several decades, "access", contacts, personality, media attention, and brown-nosing all seem to be more important. I think Lee Iaccoca set the expectations for competency in a CEO pretty low, as long as you can claim credit for your underling's hard work and foist blame for failures back down the food chain you're golden.

This is now. Later is later.

Working...