Monday, 23 February 2015

Mozilla Is Considering Blacklist For Superfish Certificate

Mozilla is considering to put the Superfish certificate was installed on laptops from Lenovo on a blacklist.According to a discussion on Mozilla's Bugzilla where developers discuss issues and bugs in Mozilla software. By putting the certificate on a blacklist would user certificate warnings that are displayed when using the Superfish certificate can not ignore.

Through the root certificate that installs Superfish on the root store of computers, where all root certificates are stored, SSL connections can be intercepted. Superfish late because all SSL connections run through its own certificate. Researchers managed to crack the password using the private key of the Superfish certificate. This makes it possible in some cases to Man-in-the-middle attacks against systems that perform Superfish and certificate are active.

"Every certificate that is added to root stores by commonly used software and whose private key is known, is a risk," said Gervase Markham on Bugzilla. He notes that the behavior of software installation certificates or not install on computers can change. A program can one week show no suspicious behavior and that a week later do it again. "Without extensive research, we do not know exactly how they work, and in what cases can modify software root lists and also what root lists."

Although Mozilla employees were initially quite hesitant to put the certificate on the blacklist, the decision by Microsoft to the Superfish application and the certificate by using Windows Defender and Security Essentials to remove changed this. "This paves the way for us free to revoke the certificate," said Mozilla's Richard Barnes . Since Microsoft already has the certificate on many computers removed the impact of any blacklisting will therefore be easy. "It just adds to the disinfection," Barnes continues. However, if and when the certificate on the blacklist will not yet decided.

No comments:

Post a Comment