Closed Bug 1437826 Opened 6 years ago Closed 5 years ago

Clarify Thunderbird 60's plan for Symantec CA distrust

Categories

(Thunderbird :: Security, enhancement)

Product:
Thunderbird
Component:
Security
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: KaiE, Unassigned)

References

Details

The Firefox 60 core certificate validation code will be changed to distrust certain Symantec certificates.

For background see bug 1434300 and bug 1409257.

The original intention is to limit this distrust to web browsers.

However, because Thunderbird reuses Firefox code, Thunderbird would automatically inherit this behavior, unless Thunderbird choses to override it.

I assume that a new Thunderbird version 60 will be based on the Firefox 60 code, is this correct?

If yes, I suggest to clarify Thunderbird's plan for the Symantec CA distrust initiative.

If my understanding is correct, and Thunderbird 60 wishes to continue to trust all Symantec CAs (at least until October 2018), then the Thunderbird code would have to override the Firefox 60 distrust implementation.
Depends on: 1434300
Thanks for considering Thunderbird! I've done a bit of reading, and it seems to me that Symantec made some mistakes during cert issuing, and that browser are no longer trusting them.

We don't have any sort of telemetry that would tell us if email servers are using Symantec certs, and given there seems to be a good reason to distrust them in the browser world I would be fine to follow this approach for Email.

Kai, do you have any specific reason in mind why Thunderbird would want to diverge from Firefox's approach here?
Flags: needinfo?(kaie)
Hello Jeremy, could you please comment on the following aspect of the SSL/TLS server certificate migration initiative?

Is your migration initative limited to SSL/TLS servers certificate that are intended to be used for web site services (web browser clients), or does the migration initiative cover all SSL/TLS server certificates, regardless for which kind of SSL/TLS service the certificate is used?

If you could confirm that you are migrating all SSL/TLS server certificates, not just those for web sites, it would mean a simplification for Thunderbird software, which connects to various kinds of services that use non http protocols, but which are frequently also secured using SSL/TLS server certificates.
Flags: needinfo?(kaie) → needinfo?(jeremy.rowley)
The migration is for all certs with a serverAuth EKU.  there are some customers being added to an exception list, but this is limited to customers who require the Symantec root because of pinning issues and where the cert is intended for server to server communication.
Flags: needinfo?(jeremy.rowley)
What action and/or publicity do we need here?  (a relnote?)
Flags: needinfo?(mkmelin+mozilla)
Flags: needinfo?(jorgk)
relnote sounds good. So far I don't think we have any reason to diverge from Firefox on this.
Flags: needinfo?(mkmelin+mozilla)
OK, can you suggest the text, I'm not familiar with the issue.
Flags: needinfo?(jorgk)
Perhaps 

All certificates issued by Symantec roots before 2016-06-01 are distrusted in Thunderbird 60 and above. This applies to all of the brands Symantec operated; Thawte, RapidSSL, GeoTrust, Verisign, and Symantec.
Can someone provide an update on the plans for Symantec distrust in Thunderbird? I don't see a reference to this in the 60 Beta release notes.

Jeremy posted about S/MIME distrust earlier today on m.d.s.p.: https://groups.google.com/d/msg/mozilla.dev.security.policy/QyQ-e8OnHnk/VzAL7GB8CAAJ

He stated that DigiCert plans to cease new issuance of S/MIME certificates from Symantec hierarchies on Oct 1, 2018. If it is feasible to distrust all S/MIME certs issued after this date in Thunderbird, I think that would be a good approach.

I am planning to post an update on the Symantec distrust to the Mozilla Security blog in July and would be happy to include information on Thunderbird's plans.
Wayne, I don't speak for Thunderbird, but I think I can clarify the following:

Thunderbird doesn't have its own certificate code for TLS trust. It fully reuses the Firefox code. Unless you see specific plans mentioned in this bug, it probably means that TB will do the same as FF. This is my understanding of comment 5.

TB folks, please correct me if I'm wrong.
Thanks Kai. For "TLS Trust", are you referring to SMTP,POP, and IMAP over TLS? If that is the scope of this bug, then it makes sense to me that Thunderbird would inherit the Firefox changes. However, that leaves open the question of how Thunderbird will handle trust in S/MIME certs issued from Symantec hierarchies.
Kai is correct, the certificate code is the same as for the corresponding Firefox release. And yes, we don't have any plans to diverge from that. 

I assume by default trust will be revoked for all protocols (and S/MIME) once the certs are distrusted per Firefox's plans.
Magnus: My concern, then, is S/MIME. The consensus Symantec distrust plan didn't include S/MIME certificates in-scope, and we know from DigiCert that Symantec hierarchies are still actively being used to issue S/MIME certificates (under DigiCert's proposal, I'm told that the last Symantec S/MIME certificate wouldn't expire until Oct 1, 2021). If Thunderbird inherits S/MIME distrust from Firefox code, then I would expect some user to be affected.

If that is indeed the intention, then I'd like to help communicate this change. Will it be added to the 60 release notes? When is Thunderbird 60 expected to be released?
The Mozilla CA trust defines trust flags for TLS and S/MIME independently. Both Firefox and Thunderbird have access to both trust flags. Firefox probably ignores the S/MIME trust flags. Thunderbird makes use of the TLS trust flags for all client-server connections that use a TLS transport, and inherits the Firefox behavior. For S/MIME email signatures and encryption, Thunderbird uses the separate S/MIME trust flags.

This means, the decisions made by the Mozilla CA list maintainers for the S/MIME trust flags directly control what Thunderbird trusts.
Jorg, do you need further clarification before adding this to release notes?
Flags: needinfo?(jorgk)
Version: unspecified → 60
Yes, someone should confirm the suggestion made in comment #7:

All certificates issued by Symantec roots before 2016-06-01 are distrusted in Thunderbird 60 and above. This applies to all of the brands Symantec operated; Thawte, RapidSSL, GeoTrust, Verisign, and Symantec.

I guess the ";" is a typo and wants to be a ":". And maybe shorter: This applies to all Symantec brands: ...
Flags: needinfo?(jorgk)
The distrust that shipped in Firefox 60 requires the pref security.pki.distrust_ca_policy be defaulted to '1'. Has this change been made in Thunderbird 60?

If so, then the statement made in comment #7 is accurate for TLS connections. I would recommend that you clarify that these changes have no effect on Thunderbird's treatment of Symantec S/MIME certificates (I keep getting confused about that!). If you would like to reference more specifics about what is distrusted, this is a good link: https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec
For Thunderbird 60 security.pki.distrust_ca_policy is 1, yes (since that's the default for release).

If it is, as I understand it, that the email trust bits have not been distrusted (and future plans unclear), then maybe a more clear statement would be:

---
All certificates issued by Symantec roots before 2016-06-01 are distrusted for use in TLS secured traffic in Thunderbird 60 and above. This applies to all of the brands Symantec operated: Thawte, RapidSSL, GeoTrust, Verisign, and Symantec. For usage in S/MIME the certificates remain valid.
---

And I agree linking to https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec is a good idea.
Release note, incl. link, added.
The statement from  Magnus Melin from comment #17 is accurate as I understand it.

This can be closed?

Flags: needinfo?(kaie)

(In reply to Wayne Mery (:wsmwk) from comment #20)

This can be closed?

Yes, this bug can be closed. The statement in Comment #17 was correct.

The remainder of the DigiCert-Symantec root transition will be handled in Bug #1401384.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Flags: needinfo?(kaie)
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.