[SSL Observatory] SSL CA compromise in the wild
Sid Stamm
sid at mozilla.com
Wed Mar 23 14:51:10 PDT 2011
On 3/23/11 2:41 p, Jacob Appelbaum wrote:
> On 03/23/2011 02:39 PM, ArkanoiD wrote:
>> I do not see how HSTS helps. It does nothing besides enforcing TLS, trust model is still the same.
>
> HSTS helps because at least with Chrome, it requires OCSP checking to
> pass. Thus a MITM cannot (without compromising the CA entirely) simply
> deny CRL/OCSP checks.
>
> This is not the case with other browsers.
Indeed. We want that feature for Firefox.
https://bugzilla.mozilla.org/show_bug.cgi?id=643907
HSTS hardens a few more channel integrity checks (CN mismatch,
expiration, etc) to be non-overridable, but there are no errors in this
particular situation so HSTS won't help.
-Sid
More information about the Observatory
mailing list