Closed Bug 1157873 Opened 6 years ago Closed 6 years ago

remove entries from the CNNIC whitelist that aren't in the certificate transparency log

Categories

(Core :: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla40
Tracking Status
firefox40 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

Details

(Keywords: sec-other, Whiteboard: [adv-main40-])

Attachments

(1 file)

The initial CNNIC whitelist landed with some certificates that aren't in the certificate transparency pilot log. We should remove those from the whitelist. We should also specifically check for and omit certificates with notBefore dates on or after 1 April 2015.
Attached patch patchSplinter Review
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Attachment #8596785 - Flags: review?(rlb)
Comment on attachment 8596785 [details] [diff] [review]
patch

Review of attachment 8596785 [details] [diff] [review]:
-----------------------------------------------------------------

Note: I only reviewed the JS.  I did not check the changes to the hashes.

::: security/manager/tools/makeCNNICHashes.js
@@ +133,5 @@
> +    // If we can't verify the certificate, don't include it. Unfortunately, if
> +    // a CNNIC-issued certificate wasn't previously on the whitelist but it
> +    // otherwise verifies successfully, verifyCertNow will return
> +    // SEC_ERROR_REVOKED_CERTIFICATE, so we count that as verifying
> +    // successfully.

Maybe add a note that if the certificate is actually revoked (in OCSP), then it will still show up as revoked if the browser encounters it, even though it's on the whitelist.
Attachment #8596785 - Flags: review?(rlb) → review+
(In reply to Richard Barnes [:rbarnes] from comment #2)
> Maybe add a note that if the certificate is actually revoked (in OCSP), then
> it will still show up as revoked if the browser encounters it, even though
> it's on the whitelist.

That doesn't sound awesome. Are we going to be checking the whitelisted certs regularly to see if they've been revoked, so we can unwhitelist them?

Gerv
https://hg.mozilla.org/mozilla-central/rev/13f48b850248
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Whiteboard: [adv-main40-]
You need to log in before you can comment on or make changes to this bug.