Roger Binns — Fri 28 March 2014

There has been a lot of fuss this week over Brendan Eich becoming Mozilla CEO. The issue is a donation against gay marriage. For many, especially outside the US, it can be hard to see why this is a big deal, irrespective of your agreement with the issue. Twenty years ago someone was kind enough to explain it to me.

According to the United States Government Accountability Office (GAO), there are 1,138 statutory provisions in which marital status is a factor in determining benefits, rights, and privileges. [1]

—Rights and responsibilities of marriages in the United States

Campaigning against gay marriage isn't about the marriage itself (whatever your moral framework), but also denies those 1,138 benefits, rights and privileges to gay couples. It makes them less equal than opposite sex couples. Understandably, making other people less equal is an issue.

It seems very contradictory to be all about inclusiveness at Mozilla, but against it outside of work for those same employees, not to mention Mozilla's customer/user base. Brendan has never publicly explained his opinion nor changed his mind - statement from 2012.

I personally think this is an important human rights issue - I'm for human rights and equality, and hope you are too.

[1]	Note that those benefits, rights and privileges don't only apply to the married couple themselves, but also impose obligations on others. For example a hospital has to let the married partner visit or make care decisions, but doesn't for unmarried people. This is an example of what can happen.

Category: misc – Tags: mozilla

Roger Binns — Wed 07 August 2013

In a fit of madness I decided to replace the self signed SSL certificate I use with a proper one. The self signed one I made was good for 10 years so I didn't have to deal with renewal nonsense. Various clients did whine a bit, but usually there was some setting to tell them it was ok. The biggest problem with a self signed cert is you generally can't tell the difference between it and a middleman intercepting your connection.

SSL certificates are a curious business. Just like with the credit rating agencies and the banking crisis, the incentives and payments are all wrong. The certificate is analogous to an identity document like a drivers license or a passport. Identity documents are trusted not because of the information on them, but rather who issued them. My British passport is only trusted around the world because the British government is trusted as the issuer. A self signed SSL certificate is analogous to printing your own passport saying it comes from the Republic of You.

To get a SSL certificate you engage with a certificate authority. They will verify your identity information to some degree, accept your money and issue the certificate. But the people who care about your identity are the ones connecting to your site, and they haven't been involved in this process. The browser and operating system manufacturers handily include a list of trusted certificate authorities, but the way it works is that any name will be accepted providing any of those authorities issued it!

Here is the start of the long list of trusted authorities:

If any of those issued a certificate for my site, your browser would trust it, or for amazon.com or microsoft.com [1] for that matter. For the certificate authority businesses to operate, they need to remain in those trusted lists, but also need to make it easy to exchange money for certificates.

Their solution is multiple "classes" - they create intermediate certificate authorities [2] and each of those then has different requirements. For example a class 1 might check there is a working email address associated with the site, while class 3 may involve people doing strong verification including getting business documents and making phone calls. They charge more for the latter.

But it is rather pointless. Your browser accepts class 1 [3] certificates that cost $20 with minimal verification as well as class 3 that cost the site thousands. As an end user, you could check the certificate for each site you visit, determine if you trust the certificate authority, go to their web site to read up what their statements are for that class and decide if it acceptable risk to you. You'll also notice they'll have some legalese disclaiming any liability, making it essentially worthless.

This is all a long winded way of saying that it doesn't really matter who issues your certificates, there are no real assurances behind them any way, and nobody checks. They wouldn't be too different from real world passports printed on tissue paper that only machines ever look at. Consequently I used the free StartSSL certificate authority.

The sign up process is annoying and tedious, largely to try to give the appearance of value and security. New certificate in hand, I then had to replace my self signed certificate. This was more complicated because I also had to include the intermediary authority information.

The various applications I tried all worked perfectly, except those from Mozilla. In the olden days they would give detailed information about SSL issues, but it was gobbeldy gook, so naturally most users clicked whatever they could to get them to the site as quickly as possible. It is virtually impossible to tell the difference between misconfiguration and security breaches. The solution was to hide all that and try to show the minimum amount. Which leads us to today.

Thunderbird doesn't like the certificate for reasons I can't determine. It doesn't even show an error, so it looks like it is working but in reality it is repeatedly hanging up on the server. When using a self signed certificate it at least puts up an error dialog where you can say to permanently accept the certificate. In this case the behaviour for a legitimate certificate is far worse! Going through several arcane menu sequences you can finally make it work, but this is ridiculous.

Firefox initially worked and then stopped. In the end I worked out that it had OCSP issues [4]. I can't really tell who is to blame, and ended up having to turn OCSP off.

Now I have a real certificate, it works providing you go nowhere near Mozilla products, and isn't worth anything anyway. Madness indeed.

[1]	There are some minimally deployed attempts to fix this like certificate pinning.

[2]	SSL provides a chain of certifying authorities. It would be analogous to getting a passport from England that is then stamped by the British government. You trust the England intermediary because you trust the British government.

[3]	The classes are made up by each certificate authority.

[4]	OCSP allows checking if a certificate has been revoked. If you lost the private part, someone could impersonate your site or read the traffic, so you would ask the issuer to add it to a list of certificates not to be trusted.

Category: misc – Tags: ssl, thunderbird, mozilla