On Wed, 2016-01-06 at 12:56 -0500, Stephen Gallagher wrote:
Well, the problem was never software that Fedora was shipping. The
problem is Fedora *as a client*. There are unfortunately many
websites
out there that are still signed by insecure certificates. We
certainly
need to choose a sunset date to stop shipping those insecure CAs, but
unfortunately we can't force everyone in the world to switch to sane
certificates.
Hi,
Mozilla worked with CAs to ensure impact would be limited before removing the affected
root certificates. Mozilla responds to bug reports on
bugzilla.mozilla.org in case a
particular removal has had unexpectedly large impact, but they also have telemetry in
Firefox to automatically report such issues; I trust them to take action if a removal
causes unexpected breakage.
Any sites affected by these removals are broken in upstream Firefox. I don't see any
reason Fedora software should be compatible with more sites than Firefox. I believe the
value of the ca-legacy certificates outweighed the significant security risk when they
improved the compatibility of Fedora software with Firefox. I was quite disappointed when,
after the certificates were originally removed, various Fedora software (in particular,
Epiphany) was unable to display sites that worked properly in Firefox. Nowadays, this is
no longer an issue, and it seems to be a large risk for little or no benefit.
(Realistically, this won't change until 6-12 months after Google
Chrome, Microsoft Internet Explorer and Apple Safari all eliminate
those CAs). I don't have any information on if or when this will
happen, but that's just about the only way that website admins will
suddenly care enough to fix things.
I think Firefox is the only browser that ships its own CA certificates.
Other browsers use the certificates provided by the operating system. I
have not heard of any plans from Microsoft or Apple to start removing
these certificates.
Michael