Closed Bug 683449 Opened 13 years ago Closed 13 years ago

Remove the exemptions for the Staat der Nederlanden root

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla9
Tracking Flags:
Tracking Status
firefox6 --- .2-fixed
firefox7 --- fixed
firefox8 --- fixed
firefox9 --- fixed
status1.9.2 --- .22-fixed

People

(Reporter: gerv, Assigned: ehsan.akhgari)

References

Details

(Keywords: verified-beta, verified1.9.2, Whiteboard: [qa+])

Attachments

(1 file, 1 obsolete file)

Patch (v1)
1.27 KB, patch
KaiE
: review+
Details | Diff | Splinter Review 
It turns out that there are two Staat der Nederlanden roots in our root store, and our patch only exempts one of them from the DigiNotar block :-(( This means that a number of websites whose certs do not chain up to the dis-trusted DigiNotar root are nevertheless having their certificates viewed as untrusted. I'm not sure how many sites this is.

The roots are:
Staat der Nederlanden Root CA
  (successfully exempted)
Staat der Nederlanden Root CA - G2
  (accidentally included)

The line of code is this one:

if (!strcmp(node->cert->issuerName,
    "CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") ...

This check needs to include both the names above.

Test site:
https://sha2.diginotar.nl/

Gerv
Some more websites:
https://g2test.logius.nl/
https://steenwijkerland.bim.mijnbezwaar.nl/

Let me know if you need more.
This bug cannot progress until the right people wake up. If we decide to issue a further update, the turnaround time is about 24 hours.

Gerv
Assignee: nobody → bsmith
I think I may have a patch.
Assignee: bsmith → ehsan
Attached patch Patch (v1)Splinter Review 

        Attachment #557158 -
        Flags: review?(rrelyea)

        Attachment #557158 -
        Flags: review?(kaie)

        Attachment #557158 -
        Flags: review?(dveditz)

        Attachment #557158 -
        Flags: review?(bsmith)

    
    

    
  


  
This is still building on my machine.

        Attachment #557159 -
        Flags: review?(kaie)

        Attachment #557159 -
        Flags: review?(honzab.moz)

        Attachment #557159 -
        Flags: review?(dveditz)

    
    

    
  
(In reply to Brian Smith (:bsmith) from comment #6)
> Created attachment 557159 [details] [diff] [review]
> WIP - Allow Staat der Nederlanden Root CA - G2 Root
> 
> This is still building on my machine.

Same here!

    
    

    
  
Comment on attachment 557159 [details] [diff] [review]
WIP - Allow Staat der Nederlanden Root CA - G2 Root

Will use Ehsan's patch, which I will r+ as soon as it finishes building on my machine and I can test it.

        Attachment #557159 -
        Attachment is obsolete: true

        Attachment #557159 -
        Flags: review?(kaie)

        Attachment #557159 -
        Flags: review?(honzab.moz)

        Attachment #557159 -
        Flags: review?(dveditz)

    
  
Blocks: 682927
Keywords: regression

    
    

    
  
Comment on attachment 557158 [details] [diff] [review]
Patch (v1)

If the Dutch gov insists on this, and Mozilla decides to concur, I'm fine with this code change.
r=kaie

        Attachment #557158 -
        Flags: review?(kaie) → review+

    
    

    
  
Just verified locally that the fix is working for all of the test websites.

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/e18dcb523b20
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
  

        Attachment #557158 -
        Flags: review?(rrelyea)

        Attachment #557158 -
        Flags: review?(dveditz)

        Attachment #557158 -
        Flags: review?(bsmith)

    
  

          status-firefox9:
          --- → fixed

    
    

    
  
(Confirming that this has any approval flags ehsan needs it to have - a=me)

          status1.9.2:
          .22-fixed → ---

          status-firefox7:
          fixed → ---

          status-firefox8:
          fixed → ---

          status-firefox9:
          fixed → ---

    
  

          status1.9.2:
          --- → .22-fixed

          status-firefox7:
          --- → fixed

          status-firefox8:
          --- → fixed

          status-firefox9:
          --- → fixed

    
    

    
  
Comment on attachment 557158 [details] [diff] [review]
Patch (v1)

>     // By request of the Dutch government

I suggest this comment be reworded.  This comment
implies we yielded to government pressure.  I doubt
that's the case.

How about something like "Staat der Nederlanden Root CA
certified their subordinate DigiNotar CAs were good"?
If it turns out their subordinate DigiNotar CAs were
also attacked, then that'll be reason to remove the
trust for Staat der Nederlanden Root CA.

Similarly, we should ask each of the root CA that
has a subordinate DigiNotar CA to either certify
or revoke the subordinate DigiNotar CA.  This is a
good test for the trustworthiness of the root CAs.

    
    

    
  
(In reply to Wan-Teh Chang from comment #14)
> How about something like "Staat der Nederlanden Root CA
> certified their subordinate DigiNotar CAs were good"?

Sshhh, but does that really matter? This is effectively and right now used as revolving door by DigiNotar. I suggest to A) review this decision, B) check your procedures for such incidences, C) perhaps consult with the Mozilla CA Policy.

It does look very bad in my opinion and it appears to contradict the decision to remove this root.

    
    

    
  
(In reply to Wan-Teh Chang from comment #14)
> Comment on attachment 557158 [details] [diff] [review]
> Patch (v1)
> 
> >     // By request of the Dutch government
> 
> I suggest this comment be reworded.  This comment
> implies we yielded to government pressure.  I doubt
> that's the case.

Can someone please blog on the Mozilla Security Blog explaining this part of the situation? How it came about, what has been excepted and what effect it has only people visiting sites that are part of this exception. Thank you.

    
    

    
  
Mozilla believes that the exemption for certificates under Staat der Nederlanden roots is justified, and it is in line with what other browsers are doing (which used different technical measures which made an exception unnecessary). We will be posting on the security blog soon with a fuller explanation of this. The comment in the source code is not the full story.

Gerv

    
    

    
  
An explanation would be certainly helpful, thanks.

    
    

    
  
Considering the patch that landed is actually completely different than what this bug was about, I'm updating the summary and such to reflect that. It would be nice to get the actual patch added as an attachment here.
Keywords: regression
Summary: DigiNotar patch erroneously blocks one of the two Staat der Nederlanden roots → Remove the exemptions for the Staat der Nederlanden root

    
  

          status-firefox6:
          --- → .2-fixed

    
    

    
  
In a conference of the Dutch government held right now, they also give up trust in their certificates and they expect the browsers to follow.

          status1.9.2:
          .22-fixed → ---

          status-firefox6:
          .2-fixed → ---

    
    

    
  
Could someone on this bug either indicate what verification steps should be done to verify or even better go ahead and verify yourself. TIA!

    
    

    
  
Seconding Matt, QA would like to verify this behavior before signing off, but it's unclear how we should be doing it. Any hints would be appreciated.

    
    

    
  
The following sites should work before the patch, and not after:

Staat der Nederlanden Root CA - G2 via Diginotar PKIOverheid CA Organisatie - G2: 
  https://belastingbalie.eindhoven.nl/ (Issued: 4th Feb 2011)

Staat der Nederlanden Root CA via Diginotar PKIoverheid CA Overheid en Bedrijven:
  https://www.nifpnet.nl/ (Issued 12th May 2011)

I _think_ you should expect to see an overrideable "cert_not_trusted" error.

Gerv

    
    

    
  
Setting resolution to Verified Fixed on Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

Both sites from comment29 are now showing the "Untrusted Connection Page"
The error is displayed under technical details: "The certificate is not trusted because the issuer certificate is unknown.Error code: sec_error_unknown_issuer)

The same behavior applies on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Status: RESOLVED → VERIFIED

    
    

    
  
This bug needs to be verified against all the branches marked above as fixed. The Verified state is also for trunk and not 6.0.2 as what you have used for testing. Please test at least across 3.6.22 build 2, 6.0.2 build 2, and 7.0b4#2.
Status: VERIFIED → RESOLVED
Closed: 13 years ago13 years ago

    
  
Component: CA Certificates → Security: PSM
Product: NSS → Core
QA Contact: root-certs → psm
Version: trunk → unspecified

    
    

    
  
I've verified this against 3.6.22(build2), 6.0.2(build2), 7.0b4(build2), and latest Nightly using Windows XP or Mac. The first url in comment #29 is now using a certificate, issued on 9/5, by a different certificate authority so there is no error. This is to be expected. The second url is untrusted but overridable.
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Target Milestone: --- → mozilla9

    
    

    
  
(In reply to Vlad [QA] from comment #30)
> Setting resolution to Verified Fixed on Mozilla/5.0 (Windows NT 6.1;
> rv:6.0.2) Gecko/20100101 Firefox/6.0.2
> 
> Both sites from comment29 are now showing the "Untrusted Connection Page"
> The error is displayed under technical details: "The certificate is not
> trusted because the issuer certificate is unknown.Error code:
> sec_error_unknown_issuer)
> 
> The same behavior applies on:
> Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20100101
> Firefox/6.0.2
> Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
> Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

But I still can go into their website even in Firefox 6.0.2
For both website I didn't get the " "Untrusted Connection Page" I did not get the error that is displayed under technical details: "The certificate is not trusted because the issuer certificate is unknown.Error code: sec_error_unknown_issuer)"

    
    

    
  
Because both websites have been issued new certificates meanwhile. Which means they are no valid testcases anymore.

    
    

    
  
This needs to be verified on Aurora.
Whiteboard: [qa+]

    
    

    
  
(In reply to Henrik Skupin (:whimboo) from comment #35)
> Because both websites have been issued new certificates meanwhile. Which
> means they are no valid testcases anymore.

New testcase, the Dutch secret service still has a Diginotar cert!

Staat der Nederlanden Root CA via Diginotar PKIoverheid CA Overheid en Bedrijven:
https://www.aivd.nl/

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: