[arch-dev-public] How to disable the DigiNotar root cert on Arch
Hi all, there was another incident with a CA. See http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificat... for more details. If you like to distrust this issuer you'll find a howto for Firefox at http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert For other apps that use our ca-certificates package (by Debian) You can easily disable the root cert by issuing the following commands as root: sed -E 's#^(mozilla/DigiNotar_Root_CA.crt)$#!\1#g' -i /etc/ca-certificates.conf update-ca-certificates This information is just for those who are curious. There is most likely no need to panic for those people; especially if you don't live in Iran. And if you do its probably too late as the issuer was compromised two month ago. And I thought the Comodo incident was already pure night mare... The whole CA structure we base our SSL security on is a mess imho. Blindly shipping a bunch of certificates to our users does not seem to be the best idea any more. Unfortunately there is no real alternative atm. Greetings, Pierre -- Pierre Schmitz, https://users.archlinux.de/~pierre
On Tue, 2011-08-30 at 22:24 +0200, Pierre Schmitz wrote:
Hi all,
there was another incident with a CA. See http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificat... for more details. If you like to distrust this issuer you'll find a howto for Firefox at http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert
For other apps that use our ca-certificates package (by Debian) You can easily disable the root cert by issuing the following commands as root:
sed -E 's#^(mozilla/DigiNotar_Root_CA.crt)$#!\1#g' -i /etc/ca-certificates.conf update-ca-certificates
This information is just for those who are curious. There is most likely no need to panic for those people; especially if you don't live in Iran. And if you do its probably too late as the issuer was compromised two month ago. And I thought the Comodo incident was already pure night mare...
The whole CA structure we base our SSL security on is a mess imho. Blindly shipping a bunch of certificates to our users does not seem to be the best idea any more. Unfortunately there is no real alternative atm.
The whole SSL system is based on trust. We have to trust the CA roots, and those CA roots have to trust their clients. That way, we trust the clients they trust. So far, not much is wrong with that system, but when it turns out the CA root can't be trusted, that CA root should get kicked out. You can't tell the difference between a valid certificate issued by the CA root, or an invalid certificate issued by a hacker using his key. I already removed DigiNotar from nss. Ionut updated Firefox to 6.0.1, which distrusts all certificates that are issued by DigiNotar, with the exception of those that originate from the PKIOverheid CA. We should remove DigiNotar from our ca-certificates package. A CA that doesn't care about security, doesn't inform us about hacks and doesn't even know what systems were affected should not be trusted. Looking at debian, they already blacklisted DigiNotar: http://packages.qa.debian.org/c/ca-certificates/news/20110831T024756Z.html We should do the same.
On Tue, 30 Aug 2011 22:24:33 +0200, Pierre Schmitz wrote:
Hi all,
there was another incident with a CA. See http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificat... for more details. If you like to distrust this issuer you'll find a howto for Firefox at http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert
For other apps that use our ca-certificates package (by Debian) You can easily disable the root cert by issuing the following commands as root:
As a follow up I'd recommend to also remove the root certificates of "Staat der Nederlanden". The problem is that they had used DigiNotar as intermediate CA. There are specific updates for Firefox and Chromium but other browsers are still affected. You can check if these certs are still accepted by your browserb by visiting sites such as https://secure.valkenswaard.nl/. Make sure they still use the DigiNotar intermediate cert. ATM I don't know of any other workaround as remove the roots certs completely. To do so run: sed -E 's#^(mozilla/Staat_der_Nederlanden_Root_CA.*)$#!\1#g' \ -i /etc/ca-certificates.conf update-ca-certificates Here are some links including more details. For now it seems Debian wont remove these root certs. Unfortunately this would mean that every client needs to be updated; which is also unlikely to happen. A brief look at what Mozilla does*) should show that this system is pretty much broken. http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/ https://bugzilla.mozilla.org/show_bug.cgi?id=683449 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640567 *) http://hg.mozilla.org/releases/mozilla-release/file/e65f4c8bd243/security/ma... Greetings, Pierre -- Pierre Schmitz, https://users.archlinux.de/~pierre
On Wed, Sep 7, 2011 at 4:55 AM, Pierre Schmitz <pierre@archlinux.de> wrote:
For now it seems Debian wont remove these root certs. Unfortunately this would mean that every client needs to be updated; which is also unlikely to happen.
However, why can't we remove it? -Dan
On Wed, 2011-09-07 at 11:55 +0200, Pierre Schmitz wrote:
As a follow up I'd recommend to also remove the root certificates of "Staat der Nederlanden". The problem is that they had used DigiNotar as intermediate CA. There are specific updates for Firefox and Chromium but other browsers are still affected. You can check if these certs are still accepted by your browserb by visiting sites such as https://secure.valkenswaard.nl/. Make sure they still use the DigiNotar intermediate cert. ATM I don't know of any other workaround as remove the roots certs completely.
What is this advise based on? You're getting it wrong. "Staat der Nederlanden CA" is a root CA, they haven't been compromised. Certificate chain is as following: Staat der Nederlanden CA -> DigiNotar -> fraud cert If you remove DigiNotar from ca-certificates, you'll get this: Staat der Nederlanden CA -> missing cert -> fraud cert Every sane client application will complain about the missing cert. Probably it won't even know about the Staat der Nederlanden CA, as you can't resolve to it directly without having the DigiNotar certificate. The thing where Mozilla is talking about is their special exception that has been removed. In Firefox 6.0.1, if you had a certificate signed by DigiNotar that resolved to the Staat der Nederlanden CA, it would accept this certificate as valid. This exception has been removed in 6.0.2.
On Wed, 07 Sep 2011 14:35:21 +0200, Jan de Groot wrote:
On Wed, 2011-09-07 at 11:55 +0200, Pierre Schmitz wrote:
As a follow up I'd recommend to also remove the root certificates of "Staat der Nederlanden". The problem is that they had used DigiNotar as intermediate CA. There are specific updates for Firefox and Chromium but other browsers are still affected. You can check if these certs are still accepted by your browserb by visiting sites such as https://secure.valkenswaard.nl/. Make sure they still use the DigiNotar intermediate cert. ATM I don't know of any other workaround as remove the roots certs completely.
What is this advise based on? You're getting it wrong. "Staat der Nederlanden CA" is a root CA, they haven't been compromised. Certificate chain is as following:
Staat der Nederlanden CA -> DigiNotar -> fraud cert
If you remove DigiNotar from ca-certificates, you'll get this:
Staat der Nederlanden CA -> missing cert -> fraud cert
Doesn't the server also send the intermediate certs if needed? Or am I mixing things?
Every sane client application will complain about the missing cert. Probably it won't even know about the Staat der Nederlanden CA, as you can't resolve to it directly without having the DigiNotar certificate.
I did a brief test with curl and webkit browsers such as rekonq. They accept the certificates from the site mentioned above unless I disable "Staat der Nederlanden CA". Afaik Firefox does an explicit check if there is a diginotar cert within the chain; other browsers and clients most likely don't. So I still think its the easiest for most people to disable those certs as well. But yes, I am not absolutely sure as the information you can found in the media atm is not that accurate. E.g. heise states that Microsoft will remove the Nederlands root cert completely. -- Pierre Schmitz, https://users.archlinux.de/~pierre
On Wed, 2011-09-07 at 16:07 +0200, Pierre Schmitz wrote:
I did a brief test with curl and webkit browsers such as rekonq. They accept the certificates from the site mentioned above unless I disable "Staat der Nederlanden CA". Afaik Firefox does an explicit check if there is a diginotar cert within the chain; other browsers and clients most likely don't. So I still think its the easiest for most people to disable those certs as well.
I tried epiphany, that browser doesn't even give a warning when a cert is invalid. One week ago the cert for GNOME bugzilla was expired, Firefox couldn't add an exception, making it unable to visit bugs.gnome.org, but epiphany just shows the website without any warning. When I check a DigiNotar signed website, Epiphany shows a broken lock in the address bar, so though it's SSL, it says the security is broken.
But yes, I am not absolutely sure as the information you can found in the media atm is not that accurate. E.g. heise states that Microsoft will remove the Nederlands root cert completely.
Heise is wrong IMHO. When the DigiNotar hack was made public, all browser companies issued updates. Both Microsoft and Mozilla added checks to their browsers to see if a cert originates from "Staat der Nederlanden CA" so the cert would get accepted as valid. Now that Fox IT uncovered a report about the security at DigiNotar and that not any cert ever issued by this company should be trusted, Mozilla and Microsoft decided to remove that exception and just disable all DigiNotar certificates. I pulled in this update through Windows Update this morning, I had to reboot for it (Windows XP). On Windows XP you don't have to reboot for a base certificate update, so this is an update that touches code instead of some certificate store.
On 09/07/2011 08:02 PM, Jan de Groot wrote:
On Wed, 2011-09-07 at 16:07 +0200, Pierre Schmitz wrote:
I did a brief test with curl and webkit browsers such as rekonq. They accept the certificates from the site mentioned above unless I disable "Staat der Nederlanden CA". Afaik Firefox does an explicit check if there is a diginotar cert within the chain; other browsers and clients most likely don't. So I still think its the easiest for most people to disable those certs as well.
I tried epiphany, that browser doesn't even give a warning when a cert is invalid. One week ago the cert for GNOME bugzilla was expired, Firefox couldn't add an exception, making it unable to visit bugs.gnome.org, but epiphany just shows the website without any warning. When I check a DigiNotar signed website, Epiphany shows a broken lock in the address bar, so though it's SSL, it says the security is broken.
epiphany is kinda broken. it does say for all websites that the security is broken. I wonder if we are missing something... https://bugzilla.gnome.org/show_bug.cgi?id=611496
But yes, I am not absolutely sure as the information you can found in the media atm is not that accurate. E.g. heise states that Microsoft will remove the Nederlands root cert completely.
Heise is wrong IMHO. When the DigiNotar hack was made public, all browser companies issued updates. Both Microsoft and Mozilla added checks to their browsers to see if a cert originates from "Staat der Nederlanden CA" so the cert would get accepted as valid. Now that Fox IT uncovered a report about the security at DigiNotar and that not any cert ever issued by this company should be trusted, Mozilla and Microsoft decided to remove that exception and just disable all DigiNotar certificates. I pulled in this update through Windows Update this morning, I had to reboot for it (Windows XP). On Windows XP you don't have to reboot for a base certificate update, so this is an update that touches code instead of some certificate store.
-- IonuČ›
participants (4)
-
Dan McGee
-
Ionut Biru
-
Jan de Groot
-
Pierre Schmitz