Closed
Bug 1134989
Opened 9 years ago
Closed 9 years ago
Hotfix to mark Komodia root certificates as untrusted in NSS once the relevant software has been removed
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(firefox36 wontfix, firefox37 wontfix, firefox38 wontfix, firefox39 wontfix, firefox40 wontfix, firefox41 wontfix, firefox42 wontfix, firefox43 wontfix, firefox-esr31 wontfix, firefox-esr38 wontfix)
People
(Reporter: cesarb, Assigned: mgoodwin)
References
()
Details
(Keywords: csectype-other, sec-other)
As discussed in bug 1134506, the Superfish MITM proxy root certificate should be treated as untrusted. "slipstream / raylee" (https://twitter.com/TheWack0lian) found several other MITM proxies, which like Superfish use the Komodia SDK, that have hardcoded root certificates. Since they are hardcoded, their private key has been compromised, and they should also be treated as untrusted. The list of currently known hardcoded private keys can be found at https://gist.github.com/Wack0/17c56b77a90073be81d3.
http://marcrogers.org/2015/02/19/will-the-madness-never-end-komodia-ssl-certificates-are-everywhere/ It's even worse than anyone could have thought. Mozilla needs to kill this fast.
|
||
Comment 2•9 years ago
|
||
Man in the middle attack - marking as critical
Severity: major → critical
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-other,
sec-high
|
||
Updated•9 years ago
|
Summary: Mark Komodia root certificates as untrusted in NSS → Hotfix to mark Komodia root certificates as untrusted in NSS once the relevant software has been removed
|
|
||
Comment 3•9 years ago
|
||
This should just be an adaptation of bug 1136150 to block additional certificates when the corresponding software has been removed. I believe Mark has a list of certs, but we are still waiting on information about how to check whether the software is present.
Assignee: nobody → mgoodwin
|
|
||
Updated•9 years ago
|
Status: NEW → ASSIGNED
|
||
Updated•9 years ago
|
status-firefox36:
--- → wontfix
status-firefox37:
--- → affected
status-firefox38:
--- → affected
status-firefox39:
--- → affected
status-firefox-esr31:
--- → affected
tracking-firefox39:
--- → +
|
||
Comment 4•9 years ago
|
||
Al, is this something that will need uplift to 37 and 38? Or is that unnecessary because of how hotfixes work? Thanks.
Flags: needinfo?(abillings)
|
|
||
Comment 5•9 years ago
|
||
We would take this in NSS and then rev the NSS version, AFAIK. This is really Richard Barnes' call though for when and how to handle it.
Flags: needinfo?(abillings) → needinfo?(rlb)
|
|
||
Comment 6•9 years ago
|
||
OK, based on talking with Richard on irc, we probably don't need to track this for now. As I understand it, if a computer is already infected, we can't use this hotfix because it breaks https for them. It doesn't help anyone who isn't infected stay uninfected. But if people have removed whatever it is that has compromised their machine, and we can detect it, then maybe we can apply a hotfix. So maybe we need help from Telemetry. Please feel free re-nominate this for tracking if it seems like relman needs to be involved or we make this a priority.
tracking-firefox39:
+ → ---
|
|
||
Updated•9 years ago
|
|
|
||
Updated•9 years ago
|
status-firefox40:
--- → affected
status-firefox41:
--- → affected
status-firefox42:
--- → affected
status-firefox43:
--- → affected
status-firefox-esr38:
--- → affected
|
|
||
Comment 7•9 years ago
|
||
At this point, I don't think we're going to take any action on this.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(rlb)
Resolution: --- → WONTFIX
|
||
Updated•2 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•