Closed
Bug 1146026
Opened 9 years ago
Closed 9 years ago
Distrust MSCHOLDING intermediate certificate
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(firefox38 fixed, firefox38.0.5 fixed, firefox39 fixed, firefox40 fixed, firefox41 fixed, firefox-esr31 wontfix, firefox-esr38 fixed, b2g-v2.0 fixed, b2g-v2.0M fixed, b2g-v2.1 fixed, b2g-v2.1S fixed, b2g-v2.2 fixed, b2g-master fixed)
RESOLVED
FIXED
3.18.1
People
(Reporter: rbarnes, Assigned: KaiE)
References
Details
(Keywords: sec-high, Whiteboard: [b2g-adv-main2.2-])
Attachments
(3 files, 1 obsolete file)
An intermediate certificate under the CNNIC root issued a certificate for google.com. We should distrust that intermediate in NSS. The only thing that gives me pause about this change is that the intermediate expires on 6 Apr 2015, so the benefit would be rather short-lived.
Reporter | ||
Comment 1•9 years ago
|
||
Reporter | ||
Comment 2•9 years ago
|
||
Reporter | ||
Comment 3•9 years ago
|
||
Attachment #8581175 -
Flags: review?(kaie)
Assignee | ||
Comment 4•9 years ago
|
||
Yes, given the short lived nature of this intermediate, I wonder how much benefit it would have. Has the private key been published for this intermediate? Would Mozilla be willing to push out a chemspill release for this?
Assignee | ||
Comment 5•9 years ago
|
||
Comment on attachment 8581175 [details] [diff] [review] bug-1146026.patch Richard, for the purpose of confirming your patch, I tried to reproduce your patch by using the intermediate you have attached, and running the addbuiltin utility. I'm confused, because my patch differs from your's in the encoding of the serial number. Even more confusing, there are two sections, one for the certificate, one for the trust record. Your patch has different encodings in the sections, but they should be identical. How did you create the patch? I'll attach the patch that I've created using: cat /tmp/int_orig.pem| atob| addbuiltin -t p,p,p -n "Explicitly Distrusted MCSHOLDING CA"
Assignee | ||
Comment 6•9 years ago
|
||
Reporter | ||
Comment 7•9 years ago
|
||
(In reply to Kai Engert (:kaie) from comment #5) > Comment on attachment 8581175 [details] [diff] [review] > bug-1146026.patch > > How did you create the patch? > > I'll attach the patch that I've created using: > > cat /tmp/int_orig.pem| atob| addbuiltin -t p,p,p -n "Explicitly Distrusted > MCSHOLDING CA" I hacked it by hand, so your version should be the right one. I'm still not totally convinced that this is worth landing. Mozilla is not planning a chemspill for this. The public key has not been leaked, and MSC Holdings claims to have deleted their copy.
Reporter | ||
Updated•9 years ago
|
Attachment #8581175 -
Attachment is obsolete: true
Attachment #8581175 -
Flags: review?(kaie)
Assignee | ||
Comment 8•9 years ago
|
||
(In reply to Richard Barnes [:rbarnes] from comment #7) > I'm still not totally convinced that this is worth landing. Mozilla is not > planning a chemspill for this. The public key has not been leaked, and MSC > Holdings claims to have deleted their copy. We discussed it today in the call. We thought it would be reasonable to: - don't rush - push out the intermediate anyway. Richard, if you r+ed my patch, I'd to the following: - land both this bug and bug 1145270 - release it as a new root CA list (version 2.4) - create a NSS minibranch release 3.18.0.1 which has these two changes Anyone who wants this NSS update could then easily pick it up. We could offer to Firefox drivers to take it for Firefox 38, which already uses 3.18, and taking 3.18.0.1 would be a non-code change, only CA list change, so very low risk.
Flags: needinfo?(rlb)
Assignee | ||
Updated•9 years ago
|
Attachment #8582599 -
Flags: superreview?(rrelyea)
Attachment #8582599 -
Flags: review?(rlb)
Reporter | ||
Updated•9 years ago
|
Flags: needinfo?(rlb)
Reporter | ||
Comment 9•9 years ago
|
||
Comment on attachment 8582599 [details] [diff] [review] patch v2 Review of attachment 8582599 [details] [diff] [review]: ----------------------------------------------------------------- It's fine with me if you want to proceed with this. But it doesn't seem hugely important. Given that the certificate is already expired, the only real benefit is that clients with clocks that are badly wrong.
Attachment #8582599 -
Flags: review?(rlb) → review+
Assignee | ||
Updated•9 years ago
|
Target Milestone: --- → 3.19
Assignee | ||
Comment 10•9 years ago
|
||
can we open this bug?
Assignee | ||
Comment 11•9 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/c1bd3c0eaa34
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 12•9 years ago
|
||
Landed into NSS_3_18_BRANCH https://hg.mozilla.org/projects/nss/rev/624fd149bd3a
Assignee | ||
Updated•9 years ago
|
Target Milestone: 3.19 → 3.18.1
Assignee | ||
Comment 13•9 years ago
|
||
(In reply to Kai Engert (:kaie) from comment #10) > can we open this bug?
Flags: needinfo?(dveditz)
Updated•9 years ago
|
Flags: needinfo?(dveditz)
Comment 14•9 years ago
|
||
I'm guessing this is wontfix for esr31? Unless we end up taking 3.19.1 there as well.
Assignee: nobody → kaie
status-b2g-v2.0:
--- → affected
status-b2g-v2.0M:
--- → affected
status-b2g-v2.1:
--- → affected
status-b2g-v2.1S:
--- → affected
status-b2g-v2.2:
--- → affected
status-b2g-master:
--- → fixed
status-firefox38:
--- → fixed
status-firefox38.0.5:
--- → fixed
status-firefox39:
--- → fixed
status-firefox40:
--- → fixed
status-firefox41:
--- → fixed
status-firefox-esr31:
--- → ?
status-firefox-esr38:
--- → fixed
Flags: needinfo?(kaie)
Assignee | ||
Comment 15•9 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #14) > I'm guessing this is wontfix for esr31? Agreed. > Unless we end up taking 3.19.1 there as well. We'll take a 3.19.1 that's modified to keep the old set of root CA certificates (pre 1024-bit removal).
Flags: needinfo?(kaie)
Updated•9 years ago
|
Updated•9 years ago
|
Comment 16•9 years ago
|
||
Al, what's the advisory status for Firefox on this?
Flags: needinfo?(abillings)
Whiteboard: [b2g-adv-main2.2?]
Updated•9 years ago
|
Flags: needinfo?(abillings)
Comment 17•9 years ago
|
||
(In reply to Christiane Ruetten [:cr] from comment #16) > Al, what's the advisory status for Firefox on this? We don't write advisories for certificate changes.
Updated•9 years ago
|
Whiteboard: [b2g-adv-main2.2?] → [b2g-adv-main2.2-]
Updated•9 years ago
|
Attachment #8582599 -
Flags: superreview?(rrelyea)
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•