Root Certificate update and software design

Recently, a member of PISA (also called Anthony) noticed that when using HK Post office website, FireFox displayed security warning saying the digital certificate used bu HK Post is invalid. A detailed study by other PISA members showed that the reason HK Post (once is the root CA for HK) used their own root certificate. Root certificates are usually shipped with the browser installation and HK Post digital certificate was not included in their default software package. Hong Kong Post setup a page to teach users on how to add the root certificate to most used browsers . However, how many users know this link, willing to follow or could follow the instructions !! It is quite clear that currently most browsers develop and distributed by US company or US-based community. The interest of adding other root certificates is likely lower than adding new functions. Having said that, FireFox developers have a process to add Root Certificates to their software package, for example this link shows the process for adding root certificate. In their pending lsit, China PRC "China Internet Network Information Center (CNNIC)", Hongkong Post and Taiwan Chunghwa Telecom (CHT) are listed. Entry for HongKong post was added on 2008-10-08. However, it is interesting to see that Mozilla used their bug tracking system in their handling for Root Certificate Request from CA around the world. Look at the email trails from e-Mice ( Hong Kong PKI operator) The first request was submitted by HK Post Staff back in 2007 Dec and 20 months passed, it was not yet included in the latest FireFox update !! Obviously, FireFox needs to handle request from many different parties but it was a long time. Maybe, we could look at the how Adobe do it. Within their design, "Adobe products that support the AATL will automatically download this file every 90 days.(1) Before the contents are deposited into the client's Trusted Identity list, the AATL is verified to ensure it came from Adobe. " The approval process may still take a lot of administration time, roots certificate updates will be 90 days. It is a lot better than waiting for a bug-fix or software release!! My comment is all comes down to good design and bad design!


Comments

Unknown said…
http://www.blogger.com/comment.g?blogID=6950169&postID=1288045654731424749&page=0&token=1373374360137
9/7/13 20:54
Post a Comment

Popular posts from this blog

Risk on Radio

This morning I joined a talk show on RTHK and discussed risk of usnig credit cards. Media attendtion is high after the recent security breach at Cardsystems. The story was uncovered on 17 June 2005, but after 6 days it is still lingering on. WHY? First, I believe this incident is huge in terms of people affected. 40 million card numbers were lost. Secondly, it was uncovered on SAT. I am not joking. One of my lectures in a Crisis Management class told his student in class that when reporters are hungry for news, even lost of a penny can be headline news. On Saturday, when reporters unable to find new story, a incident like this one will be reported by every newspaper. Back to the talk show, there were few people called in. And one mentioned that when he visited a Indian online shop and was diverted to a HSBC credit card website. This website asked him to enter his personal information like birthday and passport number. He worried this may be fraudulent website and asked for advice. As
Read more

China Internet Security Law and WTO!?

There is a new Law effective in China being 1 March 2006. A brief outline is here http://news.xinhuanet.com/it/2005-12/29/content_3986087.htm The full legislation is here 互联网安全保护技术措施规定 . There are some interesting observations from an IT security perspective: 1. This regulation is under the regime of China Police Force. 2. Article 7.1.2 requires ISPs to have disaster recovery ability for vital database and system equipments. 3. Most of the regulation requires ISP or who operate internet services (loosely defined at Article 18) to record and store users login time, IP address, user account information and system logs. 4. ISP has to maintain records if they find any illegal materials being distributed to the public. (“What means by illegal in the China ?” is a mystery). 5. China Police could punish entity if they fail to perform Article 7 to 14. But there is no indication of what kinds of punishment should be. First, as a security professional, I appreciate China go
Read more

One source of poverty

A study focused on the effects of Wal-Mart stores on poverty rates found that an estimated 20,000 families nationwide have fallen below the official poverty line as a result of the chain's expansion. Although I have not read the whole report nor the article confirmed the research method is scientific, I agree with the author that "found that one of the greatest effects of a Wal-Mart opening is the closing of mom-and-pop-type operations."
Read more