Joel Reardon - Why PO boxes can't be root certificate authorities anymore [2 June 2023]

Описание к видео Joel Reardon - Why PO boxes can't be root certificate authorities anymore [2 June 2023]

This talk is part of the CrySP Speaker Series on Privacy. For more information and to view other talks in the series, go to: https://crysp.uwaterloo.ca/speakers/

CVE-2022-23491, or Why PO boxes can't be root certificate authorities anymore

Joel Reardon, University of Calgary
June 2, 2023

Abstract:
Mozilla curates a set of root certificate authorities to validate
hostnames for TLS in the Firefox browser. Many other software projects,
such as Tor Browser and ca-certificates simply follow Mozilla's list;
other entities, such as Apple and Microsoft, make their own decisions
for inclusion with considerations for Mozilla's decisions and the
associated public discussion.

In March 2023, Mozilla introduced a set of new considerations when
deciding on inclusions and removals to their authorities list. Among
these are being closely tied through ownership or operation to a spyware
operation, having as its address a P.O. box or being a shell
corporation, being audited by an auditor that does not audit any other
certificate authorities, and not being transparent on matters such as
legal domicile and control.

In this talk, we'll discuss our research into a root certificate
authority and the associated disclosure that lead to Mozilla distrusting
it and Github assigning CVE-2022-23491. This was despite no evidence of
any mis-issued certificates or wrongdoing tied to its certificate
authority operations. This removal was soon after followed by Mozilla
producing their new set of root inclusion considerations, some of which
are directly relevant to our disclosure.

Bio:
Joel Reardon is an associate professor at the University of Calgary who
researches mobile security and privacy issues and data collection done
through those devices. He received his Bachelors and Master's at the
University of Waterloo and his Doctor of Sciences at the ETH Zurich. His
research has been covered by the CBC, the BBC, the Washington Post, and
the Wall Street Journal, among other places. His research has received
the Emilio Aced Research and Personal Data Protection Award, the CNIL -
Inria Data Protection Award, and the Caspar Bowden Award for Outstanding
Research in Privacy Enhancing Technologies. He likes bicycling and
snowboarding.

Комментарии

Информация по комментариям в разработке

Похожие видео