Closed Bug 1146026 Opened 9 years ago Closed 9 years ago

Distrust MSCHOLDING intermediate certificate

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
major

Tracking

(firefox38 fixed, firefox38.0.5 fixed, firefox39 fixed, firefox40 fixed, firefox41 fixed, firefox-esr31 wontfix, firefox-esr38 fixed, b2g-v2.0 fixed, b2g-v2.0M fixed, b2g-v2.1 fixed, b2g-v2.1S fixed, b2g-v2.2 fixed, b2g-master fixed)

Status:
RESOLVED FIXED
Milestone:
3.18.1
Tracking Flags:
Tracking Status
firefox38 --- fixed
firefox38.0.5 --- fixed
firefox39 --- fixed
firefox40 --- fixed
firefox41 --- fixed
firefox-esr31 --- wontfix
firefox-esr38 --- fixed
b2g-v2.0 --- fixed
b2g-v2.0M --- fixed
b2g-v2.1 --- fixed
b2g-v2.1S --- fixed
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: rbarnes, Assigned: KaiE)

References

Details

(Keywords: sec-high, Whiteboard: [b2g-adv-main2.2-])

Attachments

(3 files, 1 obsolete file)

MSCHOLDING intermediate certificate
1.61 KB, application/x-x509-ca-cert
Details
Mis-issued Google EE certificate
1.37 KB, application/x-x509-ca-cert
Details
patch v2
7.96 KB, patch
rbarnes
: review+
Details | Diff | Splinter Review 
An intermediate certificate under the CNNIC root issued a certificate for google.com.  We should distrust that intermediate in NSS.

The only thing that gives me pause about this change is that the intermediate expires on 6 Apr 2015, so the benefit would be rather short-lived.
Attached patch bug-1146026.patch (obsolete) — Splinter Review 

        Attachment #8581175 -
        Flags: review?(kaie)

    
    

    
  
Yes, given the short lived nature of this intermediate, I wonder how much benefit it would have.

Has the private key been published for this intermediate?

Would Mozilla be willing to push out a chemspill release for this?
Keywords: sec-high

    
    

    
  
Comment on attachment 8581175 [details] [diff] [review]
bug-1146026.patch

Richard, for the purpose of confirming your patch, I tried to reproduce your patch by using the intermediate you have attached, and running the addbuiltin utility.

I'm confused, because my patch differs from your's in the encoding of the serial number.

Even more confusing, there are two sections, one for the certificate, one for the trust record. Your patch has different encodings in the sections, but they should be identical.

How did you create the patch?

I'll attach the patch that I've created using:

cat /tmp/int_orig.pem| atob| addbuiltin -t p,p,p -n "Explicitly Distrusted MCSHOLDING CA"

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v2Splinter Review
      

    


  

    
    

    
  
(In reply to Kai Engert (:kaie) from comment #5)
> Comment on attachment 8581175 [details] [diff] [review]
> bug-1146026.patch
>
> How did you create the patch?
> 
> I'll attach the patch that I've created using:
> 
> cat /tmp/int_orig.pem| atob| addbuiltin -t p,p,p -n "Explicitly Distrusted
> MCSHOLDING CA"

I hacked it by hand, so your version should be the right one.

I'm still not totally convinced that this is worth landing.  Mozilla is not planning a chemspill for this.  The public key has not been leaked, and MSC Holdings claims to have deleted their copy.

    
  

        Attachment #8581175 -
        Attachment is obsolete: true

        Attachment #8581175 -
        Flags: review?(kaie)

    
    

    
  
(In reply to Richard Barnes [:rbarnes] from comment #7)
> I'm still not totally convinced that this is worth landing.  Mozilla is not
> planning a chemspill for this.  The public key has not been leaked, and MSC
> Holdings claims to have deleted their copy.

We discussed it today in the call. We thought it would be reasonable to:
- don't rush
- push out the intermediate anyway.

Richard, if you r+ed my patch, I'd to the following:

- land both this bug and bug 1145270
- release it as a new root CA list (version 2.4)
- create a NSS minibranch release 3.18.0.1 which has these two changes

Anyone who wants this NSS update could then easily pick it up.

We could offer to Firefox drivers to take it for Firefox 38, which already uses 3.18, and taking 3.18.0.1 would be a non-code change, only CA list change, so very low risk.
Flags: needinfo?(rlb)

    
  

        Attachment #8582599 -
        Flags: superreview?(rrelyea)

        Attachment #8582599 -
        Flags: review?(rlb)

    
  
Flags: needinfo?(rlb)

    
    

    
  
Comment on attachment 8582599 [details] [diff] [review]
patch v2

Review of attachment 8582599 [details] [diff] [review]:
-----------------------------------------------------------------

It's fine with me if you want to proceed with this.  But it doesn't seem hugely important.  Given that the certificate is already expired, the only real benefit is that clients with clocks that are badly wrong.

        Attachment #8582599 -
        Flags: review?(rlb) → review+

    
  
Target Milestone: --- → 3.19

    
    

    
  
can we open this bug?

    
    

    
  
https://hg.mozilla.org/projects/nss/rev/c1bd3c0eaa34
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED

    
    

    
  
Landed into NSS_3_18_BRANCH
https://hg.mozilla.org/projects/nss/rev/624fd149bd3a

    
  
Target Milestone: 3.19 → 3.18.1

    
    

    
  
(In reply to Kai Engert (:kaie) from comment #10)
> can we open this bug?
Flags: needinfo?(dveditz)
Flags: needinfo?(dveditz)

    
    

    
  
I'm guessing this is wontfix for esr31? Unless we end up taking 3.19.1 there as well.
Assignee: nobody → kaie

          status-b2g-v2.0:
          --- → affected

          status-b2g-v2.0M:
          --- → affected

          status-b2g-v2.1:
          --- → affected

          status-b2g-v2.1S:
          --- → affected

          status-b2g-v2.2:
          --- → affected

          status-b2g-master:
          --- → fixed

          status-firefox38:
          --- → fixed

          status-firefox38.0.5:
          --- → fixed

          status-firefox39:
          --- → fixed

          status-firefox40:
          --- → fixed

          status-firefox41:
          --- → fixed

          status-firefox-esr31:
          --- → ?

          status-firefox-esr38:
          --- → fixed
Flags: needinfo?(kaie)

    
    

    
  
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #14)
> I'm guessing this is wontfix for esr31?

Agreed.


> Unless we end up taking 3.19.1 there as well.

We'll take a 3.19.1 that's modified to keep the old set of root CA certificates (pre 1024-bit removal).
Flags: needinfo?(kaie)
Blocks: 1166031
No longer depends on: 1166031

    
    

    
  
Al, what's the advisory status for Firefox on this?
Flags: needinfo?(abillings)
Whiteboard: [b2g-adv-main2.2?]
Flags: needinfo?(abillings)

    
    

    
  
(In reply to Christiane Ruetten [:cr] from comment #16)
> Al, what's the advisory status for Firefox on this?

We don't write advisories for certificate changes.
Whiteboard: [b2g-adv-main2.2?] → [b2g-adv-main2.2-]

    
  

        Attachment #8582599 -
        Flags: superreview?(rrelyea)

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: