Remove 1024-bit GTE CyberTrust Global Root

RESOLVED FIXED

Status

task
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: kwilson, Assigned: kwilson)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: Changes are in NSS 3.17.3, Firefox 36)

Assignee

Description

5 years ago
Remove this 1024-bit root from NSS:
CN = GTE CyberTrust Global Root
OU = "GTE CyberTrust Solutions, Inc."
O = GTE Corporation
C = US
SHA1: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74

It was removed in Bug #936304 and then added back on Bug #1046343 due to compatibility concerns. 

We need to figure out a path forward regarding removal of this 1024-bit root, and then make it happen.

I see three possible approaches for migrating off of this root:

1)Identify and temporarily include the 2048-bit version of cross-signed intermediate certs, as per Bug #1045189. More testing is needed and we will need to collect the set of intermediate certs that will have the biggest impact on easing the migration off of this root.

2) Dynamic fetching of missing intermediate certs, as described in Bug #399324. But this is controversial and is being discussed in mozilla.dev.security.policy.

3) Set a new date to remove the root, communicate the change and provide information about how folks can fix their web servers if the change impacts them.
Assignee

Updated

5 years ago
Assignee: nobody → kwilson
Status: NEW → ASSIGNED
Assignee

Comment 1

5 years ago
It looks like we will not do option 2 (dynamic fetching of missing intermediate certs).

We can consider temporarily including a small set of 2048-bit cross-certificates to ease the migration. We would need those cross-certificates attached to this bug by mid-September.

We are targeting Firefox 35 for this root removal:
https://wiki.mozilla.org/RapidRelease/Calendar
Whiteboard: Target Firefox 35

Comment 2

5 years ago
Sites affected by removal of this root, detected after scanning Alexa Top 1 million sites (~400000 SSL enabled) as of 11th of July:

191.it@217.169.121.228
acdelcogarage.com@174.143.186.120
alice.it@217.169.121.227
bancagenerali.it@193.41.84.51
baskinrobbins.com@164.109.96.216
bil.com@156.133.48.230
bpost.be@193.191.180.209
cadillaceurope.com@213.83.24.215
chevrolet.com.pe@198.208.245.20
cm.be@62.213.199.139
comune.roma.it@94.86.40.109
dell.ca@143.166.83.38
dell.cl@143.166.83.38
dell.com@143.166.224.244
dell.com.br@143.166.83.38
dell.com.co@143.166.83.38
dell.com.mx@143.166.83.38
dell.com.pr@143.166.224.244
don.com@164.109.41.73
dsoa.ae@195.229.104.87
dunkinfranchising.com@164.109.96.216
dyson.com.au@216.255.88.233
electrabel.be@37.110.194.239
etisalat.com.eg@41.222.129.2
etisalat.eg@41.222.129.210
ettoday.net@219.85.79.131
euromut.be@194.78.148.214
gmfamilyfirst.com@198.208.73.78
gmfleetorderguide.com@198.208.145.185
gm-korea.co.kr@198.208.106.109
hallmark.com@165.193.83.157
impresasemplice.it@77.238.17.230
infostrada.it@54.229.10.161
isuzu.co.za@41.215.239.42
jumpin.it@212.48.1.45
mc.be@62.213.199.139
mcdonaldsarabia.com@216.255.66.200
myalcon.com@164.109.69.40
mylu.liberty.edu@208.95.48.173
nic.ae@195.229.242.240
oz.be@194.78.148.212
parlamento.pt@88.157.195.27
partenamut.be@194.78.148.217
planchevrolet.com.ar@198.208.145.32
sacredheart.edu@198.101.212.115
sanpaoloimi.com@193.41.198.240
sdtps.gov.ae@213.42.203.183
sisalpay.it@85.40.211.250
sriwijayaair.co.id@203.196.90.50
tim.it@156.54.69.9
turismodeportugal.pt@83.240.208.254
tvlicence.ie@194.125.152.173
ustation.it@77.238.10.99
visitportugal.com@83.240.208.237
windgroup.it@54.229.10.164
wind.it@54.229.10.160
www.agenziafarmaco.gov.it@156.54.64.29
www.agustawestland.com@193.169.150.1
www.base.gov.pt@194.65.55.203
www.bep.gov.pt@194.110.76.232
www.chevrolet.co.kr@198.208.106.109
www.dell.com.pr@143.166.83.38
www.dgs.pt@80.172.233.33
www.e-financas.gov.pt@213.13.158.241
www.emfa.pt@194.140.232.200
www.genertellife.it@92.246.34.26
www.gmiotraining.com@208.81.182.147
www.gntn-pgd.it@5.97.112.30
www.gov-madeira.pt@62.28.7.146
www.inci.pt@194.65.55.196
www.inps.it@94.86.41.16
www.oz.be@137.116.217.170
www.portaldasfinancas.gov.pt@213.13.158.243
www.ricevitoresisal.it@5.97.112.54
www.sef.pt@83.240.239.138
www.timinternet.it@156.54.69.10
www.wifiarea.it@217.169.121.230
Assignee

Comment 3

5 years ago
(In reply to Hubert Kario from comment #2)
> Sites affected by removal of this root, detected after scanning Alexa Top 1
> million sites (~400000 SSL enabled) as of 11th of July:

Thanks Hubert!

Steven, I'm sure you are already in contact with these customers. Please continue to encourage them to migrate to a newer CA hierarchy that does not use 1024-bit RSA certificates.
The code change corresponding to this bug will result in the above listed websites becoming untrusted when Firefox 35 is released. ( https://wiki.mozilla.org/RapidRelease/Calendar )
Also, note that the changes will be in an NSS release in early October, so others who use NSS directly will notice the changes earlier.

Updated

5 years ago
Depends on: 1088147
Assignee

Comment 5

5 years ago
Confirmed removal of the "GTE CyberTrust Global Root" in the test build.

Comment 6

5 years ago
Sites affected by root removal (using data collected from scanning Alexa Top 1 Million sites between 13th and 24th of October 2014).

Total: 55 sites (22 less).

191.it@217.169.121.228
acdelcogarage.com@174.143.186.120
alice.it@217.169.121.227
bancagenerali.com@193.41.84.51
bancagenerali.it@193.41.84.51
baskinrobbins.com@164.109.96.216
bil.com@156.133.48.230
bpost.be@193.191.180.209
cadillaceurope.com@213.83.24.215
cbdonline.ae@213.42.80.12
cm.be@62.213.199.139
comune.roma.it@94.86.40.109
don.com@164.109.41.73
dsoa.ae@195.229.104.87
dunkinfranchising.com@164.109.96.216
dyson.com.au@216.255.88.233
electrabel.be@94.236.33.55
etisalat.com.eg@41.222.129.2
etisalat.eg@41.222.129.210
euromut.be@194.78.148.214
gmfleetorderguide.com@198.208.145.185
gm-korea.co.kr@198.208.106.109
hallmark.com@165.193.83.157
isuzu.co.za@41.215.239.42
mc.be@62.213.199.139
mcdonaldsarabia.com@216.255.66.200
membershiprewardsviagens.com.br@186.234.211.27
mylu.liberty.edu@208.95.48.173
oz.be@194.78.148.212
parlamento.pt@88.157.195.27
partenamut.be@194.78.148.217
planchevrolet.com.ar@198.208.145.32
portaldahabitacao.pt@194.38.148.237
sdtps.gov.ae@213.42.203.183
turismodeportugal.pt@83.240.208.254
tvlicence.ie@194.125.152.173
visitportugal.com@193.126.28.43
windgroup.it@54.229.10.164
www.agenziafarmaco.gov.it@156.54.64.29
www.agustawestland.com@193.169.150.1
www.anpostpayment.ie@194.125.152.187
www.base.gov.pt@194.65.55.203
www.chevrolet.co.kr@198.208.106.109
www.dgo.pt@213.63.137.49
www.dgs.pt@80.172.233.33
www.emfa.pt@194.140.232.200
www.gmiotraining.com@208.81.182.147
www.gov-madeira.pt@62.28.7.146
www.inci.pt@194.65.55.196
www.oz.be@137.116.217.170
www.pep.pt@83.240.239.138
www.sacredheart.edu@104.130.138.206
www.sef.pt@83.240.239.138
www.sicae.pt@91.198.182.96
www.wifiarea.it@217.169.121.230
Assignee

Comment 7

5 years ago
(In reply to Hubert Kario from comment #6)
> Sites affected by root removal (using data collected from scanning Alexa Top
> 1 Million sites between 13th and 24th of October 2014).
> 
> Total: 55 sites (22 less).

Thanks, Hubert, for continuing to provide this data.

Steven, Looks like you're making good progress.
I assume all these customers have been informed of the dates for Firefox 35, and what they need to do before then.

Thanks!
Kathleen
Assignee

Updated

5 years ago
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Whiteboard: Target Firefox 35 → Changes are in NSS 3.17.3, Firefox 36
Assignee

Updated

5 years ago
Version: 3.16.4 → 3.17.3

Comment 8

5 years ago
https://www.ssllabs.com/ssltest/analyze.html?d=liberty.edu&latest
Notice this was just renewed today but still is based on the GTE CyberTrust root. Has an intermediate been created for LUPKI01 that is chained to a 2048-bit root.

Comment 9

5 years ago
Speaking of which I also found that this was also renewed recently, but alsostill is based on the GTE CyberTrust root:
https://myshu.sacredheart.edu/
(In reply to Yuhong Bao from comment #8)
> https://www.ssllabs.com/ssltest/analyze.html?d=liberty.edu&latest
> Notice this was just renewed today but still is based on the GTE CyberTrust
> root. Has an intermediate been created for LUPKI01 that is chained to a
> 2048-bit root.

(a)
I don't understand, what is "LUPKI01" ?

(b)
I see something else. Maybe they have changed their configuration again. I see a cert issued on Jan 05 with this chain:

Certificate chain
 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Virginia/businessCategory=Private Organization/serialNumber=0136062-7/C=US/postalCode=24502-2269/ST=Virginia/L=Lynchburg/street=1971 University Blvd/O=LIBERTY UNIVERSITY, INC./OU=Technical Services/CN=www.liberty.edu
   i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3
   i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
   i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority

(and I get a domain mismatch, because the cert isn't valid for liberty.edu, but only valid for www.liberty.edu)


(In reply to Yuhong Bao from comment #9)
> Speaking of which I also found that this was also renewed recently, but
> alsostill is based on the GTE CyberTrust root:
> https://myshu.sacredheart.edu/

Please distinguish between the CA and the separate entity that controls the intermediate CA.

The intermediate CA, which is controlled by the university, has issued the server certificate.

Comment 11

5 years ago
LUPKI01 is the intermediate certificate, and yes notice this happened after the date of my original comment.
Assignee

Comment 12

5 years ago
(In reply to Hubert Kario from comment #6)
> Sites affected by root removal (using data collected from scanning Alexa Top
> 1 Million sites between 13th and 24th of October 2014).
> 
> Total: 55 sites (22 less).
> 

Hi Hubert, Would you please provide new data again?

As you know, the "GTE CyberTrust Global Root" is removed in Firefox 36, which is schedule to release on Feb 23.
https://wiki.mozilla.org/RapidRelease/Calendar

Thanks,
Kathleen

Comment 13

5 years ago
Sure.

I plan to start new scan on this Friday (16/01/2015) so I should have the data around 30th of January.
Assignee

Comment 14

5 years ago
Excellent! Thanks!

Comment 15

5 years ago
(In reply to Yuhong Bao from comment #11)
> LUPKI01 is the intermediate certificate, and yes notice this happened after
> the date of my original comment.

A reminder that they also will have to replace the certificate used on mylu.liberty.edu too.

Comment 16

4 years ago
Sites affected by root removal (using data collected from scanning Alexa Top 1 Million sites between 17th and 30th of January 2015).

Total: 47 sites (8 less).

acdelcogarage.com@174.143.186.120
bil.com@156.133.48.230
bpost.be@193.191.180.209
carnivalgiftcards.com@216.26.170.73
cbddirect.ae@213.42.80.7
cm.be@62.213.199.139
don.com@164.109.41.73
dre.pt@193.17.0.177
dsoa.ae@195.229.104.87
electrabel.be@94.236.33.55
etisalat.com.eg@41.222.129.2
etisalat.eg@41.222.129.210
gestaodocondominio.pt@89.26.245.110
gmalpheon.co.kr@198.208.106.109
inpi.pt@213.63.128.70
isuzu.co.za@41.215.239.42
mc.be@62.213.199.139
mcdonaldsarabia.com@216.255.66.200
myschool.lu@158.64.87.115
onstarconnections.com@174.143.38.51
oz.be@194.78.148.212
partenamut.be@194.78.148.217
planchevrolet.com.ar@198.208.86.171
sacredheart.edu@104.130.138.206
sdtps.gov.ae@213.42.203.183
snca.lu@194.154.210.228
turismodeportugal.pt@193.126.28.1
unibanco.pt@194.107.127.125
uni.lu@158.64.76.208
visitportugal.com@193.126.28.43
vodafone.cz@217.77.163.138
vodafone.es@212.166.190.52
vodafone.hu@80.244.96.4
windgroup.it@54.229.10.164
wordbee-translator.com@213.166.42.84
www.anpostpayment.ie@194.125.152.187
www.arcor-usercontent.de@151.189.21.177
www.dgo.pt@213.63.137.49
www.dgs.pt@80.172.233.33
www.emfa.pt@194.140.232.200
www.estradas.pt@193.126.28.165
www.gov-madeira.pt@62.28.7.146
www.oz.be@137.116.217.170
www.sabam.be@81.246.122.252
www.snca.lu@194.154.210.230
www.snct.lu@194.154.210.230
www.vodafone.com.au@23.193.134.87
Assignee

Comment 17

4 years ago
(In reply to Hubert Kario from comment #16)
> Sites affected by root removal (using data collected from scanning Alexa Top
> 1 Million sites between 17th and 30th of January 2015).
> 
> Total: 47 sites (8 less).

Thanks Hubert!

All, If any of you have contacts for the above websites, please point them to:
https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out-certificates-with-1024-bit-rsa-keys/

Comment 18

4 years ago
FYI, of the ECCE ones, emfa.pt and visitportugal.com already have been fixed to use Baltimore.

Comment 19

4 years ago
We remain actively involved in helping customers who will be affected by the February 23rd release.  In many cases, several of these certificates represent single customers in the process of moving larger certificate populations than those shown.
Depends on: 1120977
You need to log in before you can comment on or make changes to this bug.