Re: [tor-bugs] #19192 [Applications/Tor Browser]: untrust bluecoat CA

["Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>]

#19192: untrust bluecoat CA
--------------------------------------+--------------------------
 Reporter:  mrphs                     |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Very High                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by yawning):

 {{{
 Changing severity to reflect the impact that having BlueCoat as a trusted
 intermediary would have on end-users. It would not surprise me if
 BlueCoat's move were a way to quietly support one of the many countries
 experimenting with national SSL/TLS certificates. It's an excellent way to
 silently mitm, I'll give them that much.
 }}}

 If this was part of some evil plan, wouldn't they have gotten an
 intermediate CA that can create more CAs (the pathlen in their cert is `0`
 so it can only sign leafs).  What are they gonna do, distribute the CA
 private key in every single one of their shit boxes?  `*.google.com` MITM
 certs as a service?  What?

 We've so far avoided from getting into the "which CAs are evil" game,
 despite people complaining (for good reason), about CAs being run by
 actual nation states...

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19192#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs