L'article de Rue89 disait vrai : Internet Explorer permettait au gouvernement tunisien (contrôlant également les DNS) de se faire passer pour Gmail en https avec un certificat qu'ils ont eux-même signés. Chose qu'il n'est pas possible de faire avec Firefox :

L'article de Rue89 est un torchon. La réponse de Bernard Ourghanlian, Directeur Technique et Sécurité, Microsoft France est excellente.

Lis cette page :
Bug 476766 - Add China Internet Network Information Center (CNNIC) CA Root Certificate en particulier :

Johnathan Nightingale [:johnath] 2010-01-29 06:00:05 PST

Folks.

Bugzilla isn't a place for advocacy, this discussion belongs in the
mozilla.dev.security.policy newsgroup, as Eddy mentions.

Having said that - I am very sensitive to the concern here.  In my latest
posting to that newsgroup, I said, in part:

1) We have never claimed as a matter of policy that our PKI decisions can
protect people from malicious governments. It's just not a plausible promise
for us to make.
2) I think, regardless of government ties, we'd carefully review and might well
yank trust for any CA that was complicit in MitM attacks.
3) CNNIC complied with our root addition policy, they are in the product
presently, so this isn't a question of approval, this is a question of whether
we should review.

It feels to me like that makes our next step clear, here. It won't help to
tally up the complainants (there will be many), and it won't help to demand
assurances from CNNIC (since the alleged governmental pressure would trump
those anyhow). It certainly won't help to cite wikipedia.

If there's truth to the allegation, here, then it should be possible to produce
a cert. It should be possible to produce a certificate, signed by CNNIC, which
impersonates a site known to have some other issuer. A live MitM attack, a
paypal cert issued by CNNIC for example. If anyone in a position to produce
such a thing needs help understanding the mechanics of doing so, I'm sure this
forum will help them.

SSL makes tampering visible to its victims. The certificate has to actually
make it to my client before I can decide to trust it. By all means, let's arm
people with the knowledge to detect and record such instances. But I don't see
any clear step we can take until then.


More comments in this bug will not help.
Information of the type I described would be helpful in bug 542689, but more advocacy will not help there, either.

Johnathan Nightingale [:johnath] 2010-01-29 12:44:29 PST

Comments like comment 33 do not help. We don't need advocacy nor allegations, here. We need evidence of certificates issued that shouldn't have been.

Dis-moi si les "réponses" de Johnathan Nightingale ne te donnent pas la nausée?

Moi oui, définitivement.

Il faut la PREUVE qu'un gouvernement totalitaire fait quelque chose de mal pour agir. C'est n'importe quoi.

Ceux qui font preuve de bon sens ne sont chez Mozilla :

Comment 36 lihlii 2010-01-29 14:43:18 PST

(...)
The security model of SSL was practically in danger because of the design flaws  of the browser to place blind trust on root CAs without consent from the users.  Since the CA certificates of rogue government agencies were added, we should consider Firefox as a rogue government controlled browser in the default configuration.

On retrouve aussi les conneries sur les fameux "audits" à la mort moi le nœud. Comme si un audit permettait de savoir qu'un acteur va se comporter honnêtement :

Comment 37 Eddy Nigg (StartCom) 2010-01-29 15:12:13 PST

(In reply to comment #36)
> Jonathan: might well yank trust for any CA that was complicit in MitM attacks.
>
> lihlii:
> Does the word "was" mean that until the MitM attack happened, any organizations
> can put their root CA certificates in Firefox provided that they can buy
> endorsement "services" from accountant companies like Ernst&Young [1] to
> acquire "trust" from webtrust.org?

Again, Bugzilla should not be used for advocacy! Nevertheless a short reply. I know Ernst & Young and have performed audits with them myself. Hence I'm trusting their attestation.

Bon, on comprend qu'Eddy Nigg (StartCom (CA)) ne va pas cracher dans la soupe. Pas ouvertement. Lui au moins n'est pas pourri jusqu'à la moelle, ce qui ne peut pas être dit de tout le monde autour de Mozilla.

Bon, je crois que c'est clair. On voit l'hypocrisie totale des décideurs de Mozilla qui demandent une preuve que Firefox n'aide en rien l'utilisateur à fournir.