Distrust MSCHOLDING intermediate certificate

RESOLVED FIXED in Firefox 38

Status

task
--
major
RESOLVED FIXED
4 years ago
3 years ago

People

(Reporter: rbarnes, Assigned: kaie)

Tracking

({sec-high})

Firefox Tracking Flags

(firefox38 fixed, firefox38.0.5 fixed, firefox39 fixed, firefox40 fixed, firefox41 fixed, firefox-esr31 wontfix, firefox-esr38 fixed, b2g-v2.0 fixed, b2g-v2.0M fixed, b2g-v2.1 fixed, b2g-v2.1S fixed, b2g-v2.2 fixed, b2g-master fixed)

Details

(Whiteboard: [b2g-adv-main2.2-])

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

4 years ago
An intermediate certificate under the CNNIC root issued a certificate for google.com.  We should distrust that intermediate in NSS.

The only thing that gives me pause about this change is that the intermediate expires on 6 Apr 2015, so the benefit would be rather short-lived.
(Reporter)

Comment 3

4 years ago
Posted patch bug-1146026.patch (obsolete) — Splinter Review
Attachment #8581175 - Flags: review?(kaie)
(Assignee)

Comment 4

4 years ago
Yes, given the short lived nature of this intermediate, I wonder how much benefit it would have.

Has the private key been published for this intermediate?

Would Mozilla be willing to push out a chemspill release for this?
Keywords: sec-high
(Assignee)

Comment 5

4 years ago
Comment on attachment 8581175 [details] [diff] [review]
bug-1146026.patch

Richard, for the purpose of confirming your patch, I tried to reproduce your patch by using the intermediate you have attached, and running the addbuiltin utility.

I'm confused, because my patch differs from your's in the encoding of the serial number.

Even more confusing, there are two sections, one for the certificate, one for the trust record. Your patch has different encodings in the sections, but they should be identical.

How did you create the patch?

I'll attach the patch that I've created using:

cat /tmp/int_orig.pem| atob| addbuiltin -t p,p,p -n "Explicitly Distrusted MCSHOLDING CA"
(Assignee)

Comment 6

4 years ago
Posted patch patch v2Splinter Review
(Reporter)

Comment 7

4 years ago
(In reply to Kai Engert (:kaie) from comment #5)
> Comment on attachment 8581175 [details] [diff] [review]
> bug-1146026.patch
>
> How did you create the patch?
> 
> I'll attach the patch that I've created using:
> 
> cat /tmp/int_orig.pem| atob| addbuiltin -t p,p,p -n "Explicitly Distrusted
> MCSHOLDING CA"

I hacked it by hand, so your version should be the right one.

I'm still not totally convinced that this is worth landing.  Mozilla is not planning a chemspill for this.  The public key has not been leaked, and MSC Holdings claims to have deleted their copy.
(Reporter)

Updated

4 years ago
Attachment #8581175 - Attachment is obsolete: true
Attachment #8581175 - Flags: review?(kaie)
(Assignee)

Comment 8

4 years ago
(In reply to Richard Barnes [:rbarnes] from comment #7)
> I'm still not totally convinced that this is worth landing.  Mozilla is not
> planning a chemspill for this.  The public key has not been leaked, and MSC
> Holdings claims to have deleted their copy.

We discussed it today in the call. We thought it would be reasonable to:
- don't rush
- push out the intermediate anyway.

Richard, if you r+ed my patch, I'd to the following:

- land both this bug and bug 1145270
- release it as a new root CA list (version 2.4)
- create a NSS minibranch release 3.18.0.1 which has these two changes

Anyone who wants this NSS update could then easily pick it up.

We could offer to Firefox drivers to take it for Firefox 38, which already uses 3.18, and taking 3.18.0.1 would be a non-code change, only CA list change, so very low risk.
Flags: needinfo?(rlb)
(Assignee)

Updated

4 years ago
Attachment #8582599 - Flags: superreview?(rrelyea)
Attachment #8582599 - Flags: review?(rlb)
(Reporter)

Updated

4 years ago
Flags: needinfo?(rlb)
(Reporter)

Comment 9

4 years ago
Comment on attachment 8582599 [details] [diff] [review]
patch v2

Review of attachment 8582599 [details] [diff] [review]:
-----------------------------------------------------------------

It's fine with me if you want to proceed with this.  But it doesn't seem hugely important.  Given that the certificate is already expired, the only real benefit is that clients with clocks that are badly wrong.
Attachment #8582599 - Flags: review?(rlb) → review+
(Assignee)

Updated

4 years ago
Target Milestone: --- → 3.19
(Assignee)

Comment 10

4 years ago
can we open this bug?
(Assignee)

Comment 11

4 years ago
https://hg.mozilla.org/projects/nss/rev/c1bd3c0eaa34
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
(Assignee)

Comment 12

4 years ago
Landed into NSS_3_18_BRANCH
https://hg.mozilla.org/projects/nss/rev/624fd149bd3a
(Assignee)

Updated

4 years ago
Target Milestone: 3.19 → 3.18.1
(Assignee)

Comment 13

4 years ago
(In reply to Kai Engert (:kaie) from comment #10)
> can we open this bug?
Flags: needinfo?(dveditz)
Flags: needinfo?(dveditz)
I'm guessing this is wontfix for esr31? Unless we end up taking 3.19.1 there as well.
(Assignee)

Comment 15

4 years ago
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #14)
> I'm guessing this is wontfix for esr31?

Agreed.


> Unless we end up taking 3.19.1 there as well.

We'll take a 3.19.1 that's modified to keep the old set of root CA certificates (pre 1024-bit removal).
Flags: needinfo?(kaie)
Blocks: 1166031
No longer depends on: 1166031
Al, what's the advisory status for Firefox on this?
Flags: needinfo?(abillings)
Whiteboard: [b2g-adv-main2.2?]
Flags: needinfo?(abillings)
(In reply to Christiane Ruetten [:cr] from comment #16)
> Al, what's the advisory status for Firefox on this?

We don't write advisories for certificate changes.
Whiteboard: [b2g-adv-main2.2?] → [b2g-adv-main2.2-]

Updated

4 years ago
Attachment #8582599 - Flags: superreview?(rrelyea)

Updated

4 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.