This is the one thing we didn't want to happen.
posted by Stonestock Relentless at 5:32 AM on November 11, 2022 [11 favorites]

The lede got buried in the FPP, here it is again: Mysterious company with government ties plays key internet role

An offshore company that is trusted by the major web browsers and other tech companies to vouch for the legitimacy of websites has connections to contractors for U.S. intelligence agencies and law enforcement, according to security researchers, documents and interviews.

A-and here's an ungated version of the WaPo article.
posted by chavenet at 5:37 AM on November 11, 2022 [14 favorites]

Back to pen and paper…
posted by beesbees at 5:56 AM on November 11, 2022 [1 favorite]

Anyone know why FireFox never adopted certificate transparency? 

Is there some reason, or they simply hemorrhaged too much security talent when they started overpaying management?
posted by jeffburdges at 7:26 AM on November 11, 2022

Never trust a company with the word "trust" in it's name.
posted by sammyo at 7:54 AM on November 11, 2022 [14 favorites]

The certificate system always did strike me as incredibly rickety and attack-prone. Patting myself on the back for good instincts.
posted by humbug at 8:10 AM on November 11, 2022 [1 favorite]

I feel like trusting a mysterious offshore company with your fundamental security was the first mistake.
posted by star gentle uterus at 8:14 AM on November 11, 2022 [2 favorites]

Just to clarify for someone who knows nothing about this stuff, Firefox is more vulnerable? Should I switch even though I'm not a journalist, government official, etc. etc.?
posted by moonmoth at 8:34 AM on November 11, 2022 [3 favorites]

Has anyone found a certificate from them in the wild? I poked around Censys yesterday and it looked like they’ve only used it for test systems. That makes me think this was either defunct or used strictly for targeted attacks, neither of which should be acceptable from a CA.

I do wish we could do more scoped CAs (e.g. the Turkish military one can only be .tr) but there isn’t really any way to do that which isn’t a gift for the major US companies.
posted by adamsc at 8:38 AM on November 11, 2022

Anyone know why FireFox never adopted certificate transparency?

Hey - I work there. I'd like to talk about this a bit more, but I can't really do that responsibly while we're in the middle of an exciting week like this.

Just to clarify for someone who knows nothing about this stuff, Firefox is more vulnerable?

No. Everyone in the major vendor space works really, really hard not to Balkanize the web, so decisions about CAs are made with a great deal of caution and consensus even if implementations are different. It means the web works, but it also means that CA issues typically affect everyone regardless of vendor.
posted by mhoye at 8:44 AM on November 11, 2022 [12 favorites]

mhoye, I think that needs more explanation. "CA issues" affect everyone, sure, but it sounds like you are just saying that Firefox will change or remove root CAs in concurrence with other browsers, which is an "after the fact" response to an issue. The fact is that Firefox does not check certificate transparency (CT) logs, while other browsers do, and checking CT logs can detect and prevent certain types of attacks. As I understand it, a root CA could issue a trusted certificate just for attacking a Firefox user, not publish it to CT logs, and be undetected by that user, whereas Chrome, etc. would not accept that certificate. Please correct my understanding if I'm off.

Now, to be clear, this would probably be a fairly targeted attack and not something a random internet user would need to worry much about. But it does seem accurate to say that Firefox is more vulnerable.
posted by whatnotever at 8:59 AM on November 11, 2022 [2 favorites]

beesbees: “Back to pen and paper…”

Days Since I've Posted, “I shoulda been a farmer:” 1,699 0
posted by ob1quixote at 9:03 AM on November 11, 2022 [2 favorites]

I think that needs more explanation.

I agree! And look forward to being able to elaborate it soon.
posted by mhoye at 9:07 AM on November 11, 2022 [5 favorites]

lists a UPS Store in Toronto as its physical address

seems legit
posted by They sucked his brains out! at 11:03 AM on November 11, 2022 [2 favorites]

Communications devices hooked up with sensors and monitors will sense, monitor and communicate. IT user privacy and security are contranyms like dry water or jumbo shrimp.

The appearance of security is a honeypot, the pursuit of privacy is a red-flag and the reliance on technology a lemmings-rush-over-the-cliff.jpg
posted by anecdotal_grand_theory at 11:15 AM on November 11, 2022 [1 favorite]

I've never looked too closely at certificate transparency but my understand goes:

As a part of issuing a cert, CAs submit the cert to "some" CT logs, who add the submitted cert into some hash-based self authenticating data structure, probably an Merkle mountain ranges (MMR), like some blockchains, not just a hash-chain like git. You could think of them as git repositories with CAs submitting PRs though. Now CAs bundle acknowledgments by CT logs into the certificate they issue, so browsers see roughly "Let's Encrypt authenticated this website, while Google and CloudFlare signed a commit hash containing this certificate."

There is no consensus among the CT logs, certainly not in the sense of blockchains or other byzantine agreement schemes, but afaik not even in the sense of CRDTs, git merges, etc. Also any certificate contains CT log signatures for only two (?) of the six CT logs. There are five American and one Chinese CT logs, which creates a censorship risk, but any CT logs who signs a bad commit hash could be discredited, so security wise this winds up being fine.

I do not know if CT logs provide service to Iranians, North Koreans, etc. or those countries CAs.
posted by jeffburdges at 12:45 PM on November 11, 2022

Important question: Are there applications that currently do not use certificate transparency but that commonly receive certificates with CT log signatures, due to those certificates being dual use?

If so, can they be switched quickly so that perhaps some spying targets become suspicious that they're being spied upon?
posted by jeffburdges at 12:52 PM on November 11, 2022

The game is rigged. It always was rigged, but these computer thingys are enchanting, and in some ways better than real life, according to everyone who spends time inside the experiment, while the fire rages in the real world and the whales die a death of plastic pieces.
posted by Oyéah at 7:13 PM on November 11, 2022

Its only about 6 clicks to remove or edit trust levels for TrustCor's three root certificates from Firefox's certificate store. (Settings -->Certificates-->Edit) It's also kinda wild to note that the Hong Kong Post Office also has 2 root certificates in there too. (So i guess both the NSA and China have had the ability to create bogus HTTPS certificates for fake sites that Firefox would accept as legit...?)

in regard to adamsc's question about finding certificates from them in the wild: After untrusting TrustCor's root certs last week I can no longer visit their own corporate website ( trustcor.ca ) from Firefox without alarm bells. Other than that, browsing hasn't changed for me.
posted by warreng at 9:40 PM on November 12, 2022

If there is a setting to do that on Android Firefox, though, I don't see it.
posted by trig at 2:26 AM on November 13, 2022 [1 favorite]

The TrustCor CA certificates was also trusted in my MacOS certificate store (keychain). I've removed trust both there and in Firefox.

Are there any other "mainstream" CA's who are perceived to be untrustworthy?
posted by Unwandering star of the North at 1:47 AM on November 17, 2022 [1 favorite]