[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firefox 3.6 for Windows includes a forged CA cert

> a cert labeled "MD5 Collisions Inc (http://www.phreedom.org/md5)" [...]
> Yes, it's expired, so it poses no real threat, but why is the Mozilla
> Project shipping Firefox with that cert?  It just causes FUD.

This is an override for the forged cert, with all trust bits removed. That
way should the demo cert make it into the wild users will get a hard
failure rather than an overridable one. We worried that many users are
trained to accept "expired" certs as fairly normal and not notice it was
an expired intermediate rather than the end cert.

For more information please see

-Dan Veditz