Closed Bug 1047011 Opened 11 years ago Closed 10 years ago

Remove 1024-bit GTE CyberTrust Global Root

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Version:
3.17.3
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: Changes are in NSS 3.17.3, Firefox 36)

Remove this 1024-bit root from NSS: CN = GTE CyberTrust Global Root OU = "GTE CyberTrust Solutions, Inc." O = GTE Corporation C = US SHA1: 97:81:79:50:D8:1C:96:70:CC:34:D8:09:CF:79:44:31:36:7E:F4:74 It was removed in Bug #936304 and then added back on Bug #1046343 due to compatibility concerns. We need to figure out a path forward regarding removal of this 1024-bit root, and then make it happen. I see three possible approaches for migrating off of this root: 1)Identify and temporarily include the 2048-bit version of cross-signed intermediate certs, as per Bug #1045189. More testing is needed and we will need to collect the set of intermediate certs that will have the biggest impact on easing the migration off of this root. 2) Dynamic fetching of missing intermediate certs, as described in Bug #399324. But this is controversial and is being discussed in mozilla.dev.security.policy. 3) Set a new date to remove the root, communicate the change and provide information about how folks can fix their web servers if the change impacts them.
Assignee: nobody → kwilson
Status: NEW → ASSIGNED
It looks like we will not do option 2 (dynamic fetching of missing intermediate certs). We can consider temporarily including a small set of 2048-bit cross-certificates to ease the migration. We would need those cross-certificates attached to this bug by mid-September. We are targeting Firefox 35 for this root removal: https://wiki.mozilla.org/RapidRelease/Calendar
Whiteboard: Target Firefox 35
Sites affected by removal of this root, detected after scanning Alexa Top 1 million sites (~400000 SSL enabled) as of 11th of July: 191.it@217.169.121.228 acdelcogarage.com@174.143.186.120 alice.it@217.169.121.227 bancagenerali.it@193.41.84.51 baskinrobbins.com@164.109.96.216 bil.com@156.133.48.230 bpost.be@193.191.180.209 cadillaceurope.com@213.83.24.215 chevrolet.com.pe@198.208.245.20 cm.be@62.213.199.139 comune.roma.it@94.86.40.109 dell.ca@143.166.83.38 dell.cl@143.166.83.38 dell.com@143.166.224.244 dell.com.br@143.166.83.38 dell.com.co@143.166.83.38 dell.com.mx@143.166.83.38 dell.com.pr@143.166.224.244 don.com@164.109.41.73 dsoa.ae@195.229.104.87 dunkinfranchising.com@164.109.96.216 dyson.com.au@216.255.88.233 electrabel.be@37.110.194.239 etisalat.com.eg@41.222.129.2 etisalat.eg@41.222.129.210 ettoday.net@219.85.79.131 euromut.be@194.78.148.214 gmfamilyfirst.com@198.208.73.78 gmfleetorderguide.com@198.208.145.185 gm-korea.co.kr@198.208.106.109 hallmark.com@165.193.83.157 impresasemplice.it@77.238.17.230 infostrada.it@54.229.10.161 isuzu.co.za@41.215.239.42 jumpin.it@212.48.1.45 mc.be@62.213.199.139 mcdonaldsarabia.com@216.255.66.200 myalcon.com@164.109.69.40 mylu.liberty.edu@208.95.48.173 nic.ae@195.229.242.240 oz.be@194.78.148.212 parlamento.pt@88.157.195.27 partenamut.be@194.78.148.217 planchevrolet.com.ar@198.208.145.32 sacredheart.edu@198.101.212.115 sanpaoloimi.com@193.41.198.240 sdtps.gov.ae@213.42.203.183 sisalpay.it@85.40.211.250 sriwijayaair.co.id@203.196.90.50 tim.it@156.54.69.9 turismodeportugal.pt@83.240.208.254 tvlicence.ie@194.125.152.173 ustation.it@77.238.10.99 visitportugal.com@83.240.208.237 windgroup.it@54.229.10.164 wind.it@54.229.10.160 www.agenziafarmaco.gov.it@156.54.64.29 www.agustawestland.com@193.169.150.1 www.base.gov.pt@194.65.55.203 www.bep.gov.pt@194.110.76.232 www.chevrolet.co.kr@198.208.106.109 www.dell.com.pr@143.166.83.38 www.dgs.pt@80.172.233.33 www.e-financas.gov.pt@213.13.158.241 www.emfa.pt@194.140.232.200 www.genertellife.it@92.246.34.26 www.gmiotraining.com@208.81.182.147 www.gntn-pgd.it@5.97.112.30 www.gov-madeira.pt@62.28.7.146 www.inci.pt@194.65.55.196 www.inps.it@94.86.41.16 www.oz.be@137.116.217.170 www.portaldasfinancas.gov.pt@213.13.158.243 www.ricevitoresisal.it@5.97.112.54 www.sef.pt@83.240.239.138 www.timinternet.it@156.54.69.10 www.wifiarea.it@217.169.121.230
(In reply to Hubert Kario from comment #2) > Sites affected by removal of this root, detected after scanning Alexa Top 1 > million sites (~400000 SSL enabled) as of 11th of July: Thanks Hubert! Steven, I'm sure you are already in contact with these customers. Please continue to encourage them to migrate to a newer CA hierarchy that does not use 1024-bit RSA certificates. The code change corresponding to this bug will result in the above listed websites becoming untrusted when Firefox 35 is released. ( https://wiki.mozilla.org/RapidRelease/Calendar ) Also, note that the changes will be in an NSS release in early October, so others who use NSS directly will notice the changes earlier.
Depends on: 1088147
Confirmed removal of the "GTE CyberTrust Global Root" in the test build.
Sites affected by root removal (using data collected from scanning Alexa Top 1 Million sites between 13th and 24th of October 2014). Total: 55 sites (22 less). 191.it@217.169.121.228 acdelcogarage.com@174.143.186.120 alice.it@217.169.121.227 bancagenerali.com@193.41.84.51 bancagenerali.it@193.41.84.51 baskinrobbins.com@164.109.96.216 bil.com@156.133.48.230 bpost.be@193.191.180.209 cadillaceurope.com@213.83.24.215 cbdonline.ae@213.42.80.12 cm.be@62.213.199.139 comune.roma.it@94.86.40.109 don.com@164.109.41.73 dsoa.ae@195.229.104.87 dunkinfranchising.com@164.109.96.216 dyson.com.au@216.255.88.233 electrabel.be@94.236.33.55 etisalat.com.eg@41.222.129.2 etisalat.eg@41.222.129.210 euromut.be@194.78.148.214 gmfleetorderguide.com@198.208.145.185 gm-korea.co.kr@198.208.106.109 hallmark.com@165.193.83.157 isuzu.co.za@41.215.239.42 mc.be@62.213.199.139 mcdonaldsarabia.com@216.255.66.200 membershiprewardsviagens.com.br@186.234.211.27 mylu.liberty.edu@208.95.48.173 oz.be@194.78.148.212 parlamento.pt@88.157.195.27 partenamut.be@194.78.148.217 planchevrolet.com.ar@198.208.145.32 portaldahabitacao.pt@194.38.148.237 sdtps.gov.ae@213.42.203.183 turismodeportugal.pt@83.240.208.254 tvlicence.ie@194.125.152.173 visitportugal.com@193.126.28.43 windgroup.it@54.229.10.164 www.agenziafarmaco.gov.it@156.54.64.29 www.agustawestland.com@193.169.150.1 www.anpostpayment.ie@194.125.152.187 www.base.gov.pt@194.65.55.203 www.chevrolet.co.kr@198.208.106.109 www.dgo.pt@213.63.137.49 www.dgs.pt@80.172.233.33 www.emfa.pt@194.140.232.200 www.gmiotraining.com@208.81.182.147 www.gov-madeira.pt@62.28.7.146 www.inci.pt@194.65.55.196 www.oz.be@137.116.217.170 www.pep.pt@83.240.239.138 www.sacredheart.edu@104.130.138.206 www.sef.pt@83.240.239.138 www.sicae.pt@91.198.182.96 www.wifiarea.it@217.169.121.230
(In reply to Hubert Kario from comment #6) > Sites affected by root removal (using data collected from scanning Alexa Top > 1 Million sites between 13th and 24th of October 2014). > > Total: 55 sites (22 less). Thanks, Hubert, for continuing to provide this data. Steven, Looks like you're making good progress. I assume all these customers have been informed of the dates for Firefox 35, and what they need to do before then. Thanks! Kathleen
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: Target Firefox 35 → Changes are in NSS 3.17.3, Firefox 36
Version: 3.16.4 → 3.17.3
https://www.ssllabs.com/ssltest/analyze.html?d=liberty.edu&latest Notice this was just renewed today but still is based on the GTE CyberTrust root. Has an intermediate been created for LUPKI01 that is chained to a 2048-bit root.
Speaking of which I also found that this was also renewed recently, but alsostill is based on the GTE CyberTrust root: https://myshu.sacredheart.edu/
(In reply to Yuhong Bao from comment #8) > https://www.ssllabs.com/ssltest/analyze.html?d=liberty.edu&latest > Notice this was just renewed today but still is based on the GTE CyberTrust > root. Has an intermediate been created for LUPKI01 that is chained to a > 2048-bit root. (a) I don't understand, what is "LUPKI01" ? (b) I see something else. Maybe they have changed their configuration again. I see a cert issued on Jan 05 with this chain: Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=Virginia/businessCategory=Private Organization/serialNumber=0136062-7/C=US/postalCode=24502-2269/ST=Virginia/L=Lynchburg/street=1971 University Blvd/O=LIBERTY UNIVERSITY, INC./OU=Technical Services/CN=www.liberty.edu i:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 1 s:/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 EV SSL CA - G3 i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 2 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority (and I get a domain mismatch, because the cert isn't valid for liberty.edu, but only valid for www.liberty.edu) (In reply to Yuhong Bao from comment #9) > Speaking of which I also found that this was also renewed recently, but > alsostill is based on the GTE CyberTrust root: > https://myshu.sacredheart.edu/ Please distinguish between the CA and the separate entity that controls the intermediate CA. The intermediate CA, which is controlled by the university, has issued the server certificate.
LUPKI01 is the intermediate certificate, and yes notice this happened after the date of my original comment.
(In reply to Hubert Kario from comment #6) > Sites affected by root removal (using data collected from scanning Alexa Top > 1 Million sites between 13th and 24th of October 2014). > > Total: 55 sites (22 less). > Hi Hubert, Would you please provide new data again? As you know, the "GTE CyberTrust Global Root" is removed in Firefox 36, which is schedule to release on Feb 23. https://wiki.mozilla.org/RapidRelease/Calendar Thanks, Kathleen
Sure. I plan to start new scan on this Friday (16/01/2015) so I should have the data around 30th of January.
Excellent! Thanks!
(In reply to Yuhong Bao from comment #11) > LUPKI01 is the intermediate certificate, and yes notice this happened after > the date of my original comment. A reminder that they also will have to replace the certificate used on mylu.liberty.edu too.
Sites affected by root removal (using data collected from scanning Alexa Top 1 Million sites between 17th and 30th of January 2015). Total: 47 sites (8 less). acdelcogarage.com@174.143.186.120 bil.com@156.133.48.230 bpost.be@193.191.180.209 carnivalgiftcards.com@216.26.170.73 cbddirect.ae@213.42.80.7 cm.be@62.213.199.139 don.com@164.109.41.73 dre.pt@193.17.0.177 dsoa.ae@195.229.104.87 electrabel.be@94.236.33.55 etisalat.com.eg@41.222.129.2 etisalat.eg@41.222.129.210 gestaodocondominio.pt@89.26.245.110 gmalpheon.co.kr@198.208.106.109 inpi.pt@213.63.128.70 isuzu.co.za@41.215.239.42 mc.be@62.213.199.139 mcdonaldsarabia.com@216.255.66.200 myschool.lu@158.64.87.115 onstarconnections.com@174.143.38.51 oz.be@194.78.148.212 partenamut.be@194.78.148.217 planchevrolet.com.ar@198.208.86.171 sacredheart.edu@104.130.138.206 sdtps.gov.ae@213.42.203.183 snca.lu@194.154.210.228 turismodeportugal.pt@193.126.28.1 unibanco.pt@194.107.127.125 uni.lu@158.64.76.208 visitportugal.com@193.126.28.43 vodafone.cz@217.77.163.138 vodafone.es@212.166.190.52 vodafone.hu@80.244.96.4 windgroup.it@54.229.10.164 wordbee-translator.com@213.166.42.84 www.anpostpayment.ie@194.125.152.187 www.arcor-usercontent.de@151.189.21.177 www.dgo.pt@213.63.137.49 www.dgs.pt@80.172.233.33 www.emfa.pt@194.140.232.200 www.estradas.pt@193.126.28.165 www.gov-madeira.pt@62.28.7.146 www.oz.be@137.116.217.170 www.sabam.be@81.246.122.252 www.snca.lu@194.154.210.230 www.snct.lu@194.154.210.230 www.vodafone.com.au@23.193.134.87
(In reply to Hubert Kario from comment #16) > Sites affected by root removal (using data collected from scanning Alexa Top > 1 Million sites between 17th and 30th of January 2015). > > Total: 47 sites (8 less). Thanks Hubert! All, If any of you have contacts for the above websites, please point them to: https://blog.mozilla.org/security/2015/01/28/phase-2-phasing-out-certificates-with-1024-bit-rsa-keys/
FYI, of the ECCE ones, emfa.pt and visitportugal.com already have been fixed to use Baltimore.
We remain actively involved in helping customers who will be affected by the February 23rd release. In many cases, several of these certificates represent single customers in the process of moving larger certificate populations than those shown.
Depends on: 1120977
You need to log in before you can comment on or make changes to this bug.