Comments: Firefox as a mainstream security risk - three threats

Don't have time to comment on anything else, but the Quovadis thing was basically a function of people who didn't understand the difference between the Firefox root list (kept in a DLL) and the Windows/IE root list (kept in the registry). They kept trying to delete the root cert in Firefox, saw that this had no effect on the registry (d'oh!), and then leapt to conclusions that there was some kind of trojan running.

As to why Quovadis got singled out, I think it was simply that they'd never heard of a CA named "Quovadis", and they thought it sounded more like what someone would name a trojan than "Geotrust" or "VeriSign" :-)

Posted by Frank Hecker at July 28, 2006 10:32 PM

I think, it is not the browser's job to decide which root certificate to trust. It's the user's job.
Of course, as long as CAs keep financing browser development, security takes a back seat.

Posted by Daniel A. Nagy at July 30, 2006 04:36 AM

http://groups.google.com/group/mozilla.dev.security/msg/0040e1d23f638661

Posted by Frank response in depth! at August 1, 2006 02:35 PM

Privsoft may have blown it, but someone sees this as an attractive attack vector!

http://isc.sans.org/diary.php?compare=1&storyid=1543&isc=b05ac907ada17fb718bb9e3d02dab2f6

Posted by ~ at August 7, 2006 03:27 PM
Post a comment









Remember personal info?






Hit Preview to see your comment. 
MT::App::Comments=HASH(0x55b6d63179d8) Subroutine MT::Blog::SUPER::site_url redefined at /home/iang/www/fc/cgi-bin/mt/lib/MT/Object.pm line 125.