Closed Bug 1227258 Opened 9 years ago Closed 9 years ago

Revoke/distrust published eDellRoot and DSDTestProvider

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: dveditz, Assigned: KaiE)

Details

Attachments

(1 file)

1227258.patch
3.85 KB, patch
rbarnes
: feedback-
Details | Diff | Splinter Review 
Can we add explicit distrust to the published eDellRoot that many Dell users have found on their machines? So far no reports it's been installed in Firefox, but the private key has been published. I'd expect it to start getting used to MITM Dell users and then some crook to come up with the idea that it'd been even more useful if the MITM worked for Firefox, too.

I notice for Superfish we didn't distrust/revoke the root, we simply removed it if found. That leaves users open to having someone come along and put it back. Wouldn't it be better to revoke or blackball it?
(In reply to Daniel Veditz [:dveditz] from comment #0)
> I notice for Superfish we didn't distrust/revoke the root, we simply removed
> it if found. That leaves users open to having someone come along and put it
> back. Wouldn't it be better to revoke or blackball it?

With superfish, all TLS traffic was terminated at local machine. Revoking the certificate would have DoSed users with no way of accessing https sites to sort the problem out.

I'm not completely clear at this stage what the intended use of the Dell cert is - it may be that we can revoke this without issue. Either way, we need to know before we can act.

I'll get a blocklist item created in the mean time.
I'm seeing reports like http://www.laptopmag.com/articles/dell-certificate-security-flaw where people simply delete it from their machine, which makes me *think* it's not being used to MITM. I'd personally like to confirm with more certainty though.
#2 - looks like it was used to serve requests on 0.0.0.0 on a high port, and the server provided sensitive information like the laptop's service tag (identifying the make and model, and probably some other identifying info) to any website.

Blackballing the certificate would make https contexts unable to get that information without mixed content, I suppose.

Therefore, there should be no adverse affects to blacklisting the certificate.
http://www.kb.cert.org/vuls/id/925497

"Dell System Detect installs the DSDTestProvider certificate into theTrusted Root Certificate Store on Microsoft Windows systems. The certificate includes the private key. This allows attackers to create trusted certificates and perform impersonation, man-in-the-middle (MiTM), and passive decryption attacks, resulting in the exposure of sensitive information."

Mozilla needs to revoke DSDTestProvider certificate also.
Assignee: nobody → kaie
Summary: Revoke/distrust published eDellRoot → Revoke/distrust published eDellRoot and DSDTestProvider
Given that Firefox doesn't seem to be affected, it might not be required to rush.

Nevertheless, it seems reasonable to add distrust records.

I suggest that we include distrust records in NSS 3.22 which is currently planned to be included in Firefox 45.

Does Mozilla want to pick up the fix in Firefox 38.5 ESR, 43 and 44 ?
Flags: needinfo?(dveditz)
I downloaded:

(a)
http://joenord.com/eDellRoot.p7b 

Subject: "CN=eDellRoot"
Issuer: "CN=eDellRoot"
Serial Number:
6b:c5:7b:95:18:93:aa:97:4b:62:4a:c0:88:fc:3b:b6
Fingerprint (SHA-256):
EC:30:C9:C3:06:5A:06:BB:07:DC:5B:1C:6B:49:7F:37:0C:1C:A6:5C:0F:30:C0:8E:04:2B:A6:BC:EC:C7:8F:2C
Fingerprint (SHA1):
98:A0:4E:41:63:35:77:90:C4:A7:9E:6D:71:3F:F0:AF:51:FE:69:27


(b)
https://github.com/hannob/superfishy/blob/master/certificates/DSDTestProvider.crt

Subject: "CN=DSDTestProvider,O=DSDTestProvider,OU=DSDTestProvider"
Issuer: "CN=DSDTestProvider,O=DSDTestProvider,OU=DSDTestProvider"
Serial Number:
a4:4c:38:47:f8:ee:71:80:43:4d:b1:80:b9:a7:e9:62
Fingerprint (SHA-256):
0F:91:2F:D7:BE:76:0B:E2:5A:FB:C5:6B:DC:09:CD:9E:5D:CC:9C:6F:6A:55:A7:78:AE:FC:B6:AA:30:E3:15:54
Fingerprint (SHA1):
02:C2:D9:31:06:2D:7B:1D:C2:A5:C7:F5:F0:68:50:64:08:1F:B2:21
Attached patch 1227258.patchSplinter Review 
I created distrust records for the certificates mentioned in my previous comment, using the following commands:

addbuiltin -D -n "Explicitly Distrusted eDellRoot" -i edell.der
addbuiltin -D -n "Explicitly Distrusted DSDTestProvider" -i dsd.der
Attachment #8692629 - Flags: review?(rlb)
Component: Security → CA Certificates
Product: Core → NSS
Target Milestone: --- → 3.22
Version: 43 Branch → trunk
Comment on attachment 8692629 [details] [diff] [review]
1227258.patch

Review of attachment 8692629 [details] [diff] [review]:
-----------------------------------------------------------------

Dell says that they never installed this in any browsers, from which I infer that other third-party things that use NSS would also be affected.

https://twitter.com/LPT/status/671804259726266368

(LPT is the person that runs Dell's twitter feed.)

Given this situation, I think we should close this INVALID or WONTFIX.  It doesn't make any sense to blacklist every cert for which the private key has been published, and if an attacker can install his own root, he could just as well install another.
Attachment #8692629 - Flags: review?(rlb) → feedback-
Microsoft security tools will be removing this and detecting programs that try to add it back. We don't need it in Firefox.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Program%3aWin32%2fCompromisedCert.D&threatid=224188&enterprise=0#tab=1
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(dveditz)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: