[tor-bugs] #19192 [Applications/Tor Browser]: untrust bluecoat CA

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat May 28 20:08:38 UTC 2016

#19192: untrust bluecoat CA
 Reporter:  mrphs                     |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Very High                 |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Major                     |     Resolution:
 Keywords:                            |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:

Comment (by yawning):

 Changing severity to reflect the impact that having BlueCoat as a trusted
 intermediary would have on end-users. It would not surprise me if
 BlueCoat's move were a way to quietly support one of the many countries
 experimenting with national SSL/TLS certificates. It's an excellent way to
 silently mitm, I'll give them that much.

 If this was part of some evil plan, wouldn't they have gotten an
 intermediate CA that can create more CAs (the pathlen in their cert is `0`
 so it can only sign leafs).  What are they gonna do, distribute the CA
 private key in every single one of their shit boxes?  `*.google.com` MITM
 certs as a service?  What?

 We've so far avoided from getting into the "which CAs are evil" game,
 despite people complaining (for good reason), about CAs being run by
 actual nation states...

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/19192#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list