294 meneos
3728 clics
Chrome rechazará los certificados de Camerfirma utilizados por la Agencia Tributaria
Después de una larga discusión en el seno de la fundación Mozilla, el equipo de seguridad de Google Chrome ha decidido dejar de confiar en los certificados emitidos por la autoridad de certificación española Camerfirma, utilizada entre otros organismos de la administración, por la Agencia Tributaria.
|
comentarios cerrados
Pues nada, a seguir con FirefoxOuch, Firefox también próximamente.
"♫ I'm starting with the Man in the Middle (oh yeah)
I'm asking him to change his ways
And no message could have been any clearer ... ♫"
www.brow.sh/
VIEWER:application/postscript:fbpdf2 -w %s
VIEWER:application/pdf:fbpdf2 -w %s
VIEWER:image/gif:fbi -a %s
VIEWER:image/x-xbm:fbi -a %s
VIEWER:image/png:fbi -a %s
VIEWER:image/tiff:fbi -a %s
VIEWER:image/jpeg:fbi -a %s
VIEWER:video/mpeg:fbplayer %s
VIEWER:video/mp4:fbplayer %s
VIEWER:video/mkv:fbplayer %s
VIEWER:audio/mp3:fbplayer %s
VIEWER:audio/ogg:fbplayer %s
VIEWER:audio/flac:fbplayer %s
fbplayer es un script tal que:
cat ~/.local/bin/fbplayer
#!/bin/sh
clear
setterm --cursor off
mplayer -vo fbdev2 -vf scale=1280:-3 "$@"
setterm --cursor on
Browsh es caca, traga CPU como un cerdo, es bastante inutil. Hasta felinks es mas competente, soporta un JS minimo como para comentar en Meneame.
cc #8
El artículo me hace pensar que Camerfirma es como la FNMT, y veo que es una empresa privada, un simple proveedor del certificado HTTPS de la AEAT y de otras admin publicas.
También se anuncia por los mentideros una torta muy gorda cuando letsencrypt.org/ se emancipe y todos sus certificados pasen a no ser fiables en Android antiguos...pero vamos, q es un problema que se arregla con que si tienes caida de trafico, pongas un certificado mas ampliamente reconocido, ¿no?
(no voto sensacionalista porque no estoy seguro, pero si lo que creo es verdad, debería ser descartada)
Issue T: Failure to disclose unconstrained sub-CA (MULTICERT) (2018 - 2020)
In the course of resolving Issue R, it was further discovered in July 2018 that Camerfirma had failed to disclose two additional sub-CA certificates, operated by MULTICERT. Mozilla Policy required that such sub-CAs be disclosed within one week of creation.
Camerfirma's explanation at the time was that they failed to consider that the person responsible for disclosing into CCADB would be unavailable, and that the backup for that person would be unavailable. They resolved this by adding a backup to the backup, in case the backup fails.
However, the disclosure in the CCADB turned to be incorrect and misleading, as Camerfirma disclosed that they operated the sub-CA, when in fact it was externally operated. At the time, this was only detected because Microsoft had disclosed the CP/CPS they had for MULTICERT's root, which participated in Microsoft's root program. Camerfirma's explanation was that the person responsible for disclosing was overloaded, and that three people would be responsible for disclosures going forward.
In 2019, Camerfirma failed to provide correct audits for MULTICERT. Their explanation was that they only had one person responsible for communicating with their sub-CAs, and had failed to consider that the person responsible for communicating with sub-CAs and disclosing into CCADB would be unavailable. They stated that they intended to prevent such issues from recurring in the future by purporting to implement additional steps.
In 2020, Camerfirma again failed to properly disclose sub-CAs operated by MULTICERT, erroneously reporting them as covered by Camerfirma's CP/CPS. Their stated reason was because these new sub-CAs were not covered by a new audit from MULTICERT yet, although the expectations for how to disclose that had been previously communicated by Kathleen Wilson.
bugzilla.mozilla.org/show_bug.cgi?id=1672423
"At that time, we did not have the automatic controls yet and the checks were performed manually by comparing with the name given by the client, so the error was not detected in the moment of the issuance."
El resto de desmanes aquí:
wiki.mozilla.org/CA:Camerfirma_Issues
Iñaki Gabilondo: "Tenemos un problema que debemos reconocer: España no funciona"
www.meneame.net/story/inaki-gabilondo-tenemos-problema-debemos-reconoc
A mi en su dia tambien me molaba aatv, hasta que ví fbtv y flipé.
This will be implemented via our existing mechanisms to respond to CA
incidents, via an integrated blocklist. Beginning with Chrome 90, users
that attempt to navigate to a website that uses a certificate that chains
to one of the roots detailed below will find that it is not considered
secure, with a message indicating that it has been revoked. Users and
enterprise administrators will not be able to bypass or override this
warning.
Edit: Me autorespondo: wiki.mozilla.org/CA:Camerfirma_Issues
Échale un ojo letsencrypt.org/2020/12/21/extending-android-compatibility.html
Toda nuestra identidad en Internet y la de servidores a los que te conectas dependen de que una certificadora (Prestador de Servicios de Confianza se llaman... CONFIANZA) diga que tú eres tú.. Y para eso deben tener procedimientos serios de identificacion de quienes reciben sus certificados y cómo se gestionan, renuevan, etc.. Los navegadores se la juegan si admiten demasiada mierda. Y varias de las issues que hay demuestran fallos graves a la hora de gestionar las RAs (son quienes identifican de manera segura a los receptores de certificados)..
Las camaras de comercio.. mejor que se dediquen a dar cursos (o conciertos) y no se metan en negocios serios...
Por suerte, ya no se financian mediante impuestos, así que son una entidad privada más que ofrece un servicio público a todo tipo de empresas.
Apenas pueden influir en la vida cuotidiana de las empresas, ya que no tienen poder ni casi funciones asociadas.