undefined | Better HN

0 pointstrulyrandom6y ago0 comments

TLS supports ECC certificates, so any web client using crypt32 to verify those is affected. That includes web browsers and lots of other types of services, so it's not primarily code signed executables.

Does Firefox still use NSS when using the Windows Certificate Store for the source of trusted root certs? What about Chrome?

You're right that RSA certificates are unaffected. There's no such thing as AES certificates, though.

0 comments

tialaramex6y ago

> Does Firefox still use NSS when using the Windows Certificate Store for the source of trusted root certs?

Yes. When enabled this feature in Firefox just effectively copies certificates from one of the Windows trust stores but continues to use its own (NSS) logic for trust decisions. Note also that Firefox's config switch only looks at your local changes - a corporate CA, a MITM proxy on a dev's workstation, something like that. Firefox continues to rely on Mozilla's judgement not Microsoft's for global trust policy.

> What about Chrome?

Chrome is probably affected. Chrome uses the platform (in this case crypt32.dll) trust decisions and then layers on additional rules from Google, such as the requirement for proof of CT logging. So unless an additional rule is blocking the weird curves they'll pass on Chrome on Windows.

j / k navigate · click thread line to collapse