Security issues such as specific security problems or ideas for making the code as a whole more secure can be discussed here

John Nagle | 4 Jul 2012 19:34

New MITM cert incident - Cyberoam

   A CA called Cyberoam appears to have issued a wildcard cert to
enable MITM attacks for "deep packet inspection" and "security"
purposes.  The same cert is used by all their devices.

https://blog.torproject.org/blog/security-vulnerability-found-cyberoam-dpi-devices-cve-2012-3372

   They're not a CA trusted by Mozilla, apparently.

					John Nagle

headers

Daniel Veditz | 5 Jul 2012 04:07

Re: New MITM cert incident - Cyberoam

On 7/4/12 10:34 AM, John Nagle wrote:
>   A CA called Cyberoam appears to have issued a wildcard cert to
> enable MITM attacks for "deep packet inspection" [...]
> 
>   They're not a CA trusted by Mozilla, apparently.

They're not a CA. Businesses wishing to use the Cyberoam devices
need to install the Cyberoam self-issued CA-cert on each computer on
the network. Enterprises could either push the cert to everyone if
they have that kind of tool, or require that workers "voluntarily"
install it themselves (because otherwise you aren't able to reach
the internet).

If we implement cert pinning we'll either have to allow that kind of
business to disable it, or write off our users who work for
companies with that kind of control freakery. It's more common than
you'd think, some of our own Mozilla community members work for
companies with that kind of policy.

-Dan Veditz