Re: Ongoing Firefox (and Thunderbird) Trademark problems
On 7/2/05, Andrew Suffield <firstname.lastname@example.org> wrote:
> On Thu, Jun 30, 2005 at 09:43:04PM +0100, Gervase Markham wrote:
> > These are two very different cases, though. If a local admin installs a
> > new root cert, that's cool - they are taking responsibility for the
> > security of those users, and they have extreme BOFH power over them
> > anyway. However, having the root appear by default, so that no-one at
> > the remote site really knows it's there (who consults the root list) and
> > it's now on Y thousand or million desktops - that is a different kettle
> > of fish.
> You've missed the really interesting, really important case.
> What about the site admin team for X thousand desktops who produce a
> modified firefox package to be used across the whole company? This is
> the normal, expected usage of Debian.
Happily, trademark law is perfectly indifferent to this case; when the
modified package is not advertised, marketed, sold, or otherwise used
in commerce under the trademark, there is no case for trademark
infringement (AIUI, IANAL). A trademark license can of course be
conditioned on the licensee's agreement to arbitrary constraints,
since (like a copyright license) it is an offer of contract; but the
offer on the table from the Mozilla Foundation more nearly resembles a
unilateral grant, articulating a "safety zone" within which no license
as such is required, and places no onus on Debian to ensure that
recipients of the Debian package don't further re-work it.
> > A quick reminder of what's at risk here: if the private key of a root
> > cert trusted by Firefox became compromised, _any_ SSL transaction that
> > any user trusting that cert performed could be silently MITMed and
> > eavesdropped on.
> Let's be serious here. You've already got the verisign certificates,
> and you've got a helpful dialog box that appears whenever new
> certificates are presented to the browser such that the user can just
> whack 'ok' without reading it. SSL security on the internet at large
> is a myth. Anybody who trusts it is insane; the risks aren't very
Information security in general is a myth, but like many myths it has
utility in some contexts. If you feel some degree of responsibility
for ensuring the good conduct of someone else, then it's wise to make
good conduct convenient for them and bad conduct as inconvenient,
risky, and easy to detect as possible. Site admins who care can make
it quite inconvenient for the user to "whack 'ok'" when there is no
chain of trust to a root cert, and can back this up with logging to
make it easy to detect and a site policy to make it risky. Selecting
root certs carefully can make it relatively convenient for a
legitimate site to establish a chain of trust and relatively
inconvenient to undermine that trust.
None of this is anything resembling foolproof -- or rather clever,
determined, non-risk-averse, expendable attacker-proof. But it's
sophomoric to claim that ease of circumvention by an unsupervised user
would justify a cavalier attitude to root cert security on the part of
the Mozilla Foundation.