Closed Bug 1879046 Opened 8 months ago Closed 7 months ago

Add New Kazakhstan Root Certificate to OneCRL

Categories

(Core :: Security Block-lists, Allow-lists, and other State, task)

Product:
Core
Component:
Security Block-lists, Allow-lists, and other State
Type:
task

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: theuser, Assigned: bwilson)

References

(Blocks 1 open bug)

Details

(Whiteboard: [ca-onecrl])

Attachments

(5 files)

m-joyreactor-cc(1).pem
1.43 KB, application/octet-stream
Details
m-joyreactor-cc.pem
1.75 KB, application/octet-stream
Details
m-joyreactor-cc-chain(1).pem
3.18 KB, application/octet-stream
Details
m-joyreactor-cc-chain.pem
3.18 KB, application/octet-stream
Details
Information_Security_Certification_Authority_CA_pem.crt
2.11 KB, text/plain
Details
Attached file m-joyreactor-cc(1).pem

+++ This bug was initially created as a clone of Bug #1680922 +++

Another MITM attempt by the KZ government.
When I visit https://m.reactor.cc, the real certificate is replaced with the one that I attached.

Many people install mandatory certificate to be able to access some government websites.
I'm not sure if the browser will let you in if you have those mandatory certificates installed.

Actual results:

Can't access the website, but firefox doesn't say that it's a rogue certificate.

Expected results:

I think Mozilla must add it for blacklist(blocklist).

Attached file m-joyreactor-cc.pem

I got the files from the "View certificate" tab. One tab was for m.joyreactor.cc, another was "Intermediate".
Each tab had 2 files. I saved both and attached them here.

Do you have a copy of the certificate the government wants you to install?

Flags: needinfo?(salimhon)

Never mind - I think I found it. Thanks for filing this, by the way!

Flags: needinfo?(salimhon)
Whiteboard: [ca-onecrl]

The following certificate information will be of use in adding this root certificate to OneCRL:

"issuerName": "MFMxNTAzBgNVBAMTLEluZm9ybWF0aW9uIFNlY3VyaXR5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQKEwRJU0NBMQswCQYDVQQGEwJLWg==",

"serialNumber": "MgQS30wvsQLzmAyqdrphCuYshJI=",

"pubKeyHash": "iSjFk5iw8XHA+W/a5quN0PSO4G0XTaEMQErAAUPHp0k=",

Serial Number 320412DF4C2FB102F3980CAA76BA610AE62C8492
Subject C=KZ, O=ISCA, CN=Information Security Certification Authority
Issuer C=KZ, O=ISCA, CN=Information Security Certification Authority
Not Before 2020-02-28T06:16:40Z
Not After 2050-02-28T06:16:40Z

SHA1 Hash 1375EBDCF56359AAE0423E861AC8FC6231511CE6
SHA256 Hash 89107C8E50E029B7B5F4FF0CCD2956BCC9D0C8BA2BFB6A58374ED63A6B034A30
SPKI SHA256 8928C59398B0F171C0F96FDAE6AB8DD0F48EE06D174DA10C404AC00143C7A749
Subject SPKI SHA256 6B0F6067F2FE25B0BAC6679266AE73749DC7D1044C84809398F9E37AF3F4F311
HPKP PIN-SHA256 iSjFk5iw8XHA+W/a5quN0PSO4G0XTaEMQErAAUPHp0k=
Certificate Extensions
AuthorityKeyID sgQS30wvsQLzmAyqdrphCuYshJI=
SubjectKeyId sgQS30wvsQLzmAyqdrphCuYshJI=

Assignee: nobody → bwilson
Status: UNCONFIRMED → ASSIGNED
Type: enhancement → task
Ever confirmed: true
Summary: MITM in Kazakhstan → Add New Kazakhstan Root Certificate to OneCRL

I reviewed the proposed change to OneCRL in Kinto staging and approved it.

This CA certificate is now recorded here, too, https://crt.sh/?id=12281942153

% python compare.py
[13:03:34] Stage-Stage: 1603 Stage-Preview: 1603 Stage-Published: 1603                                                                                                                                                                                           compare.py:67
[13:03:35] Prod-Stage: 1603 Prod-Preview: 1603 Prod-Published: 1602                                                                                                                                                                                              compare.py:75
           Verifying stage against preview                                                                                                                                                                                                                       compare.py:82
           prod/security-state-staging (1603) and prod/security-state-preview (1603) are equivalent                                                                                                                                                              compare.py:87
[13:03:36] prod/security-state-staging (1603) and prod/security-state-staging (1603) are equivalent                                                                                                                                                              compare.py:87
           prod/security-state-staging (1603) and prod/security-state-preview (1603) are equivalent                                                                                                                                                              compare.py:87
           prod/security-state-preview (1603) and prod/security-state-staging (1603) are equivalent                                                                                                                                                              compare.py:87
           prod/security-state-preview (1603) and prod/security-state-preview (1603) are equivalent                                                                                                                                                              compare.py:87
           prod/security-state-staging (1603) and prod/security-state-preview (1603) are equivalent                                                                                                                                                              compare.py:87
           No changes are waiting in staging                                                                                                                                                                                                                     compare.py:90
           There are 1 changes waiting in production. Adding:                                                                                                                                                                                                    compare.py:99
{
    'details': {'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1879046', 'who': 'dkeeler@mozilla.com', 'why': 'Kazakhstan MITM (#10)', 'name': 'Information Security Certification Authority', 'created': ''},
    'enabled': True,
    'issuerName': 'MFMxNTAzBgNVBAMTLEluZm9ybWF0aW9uIFNlY3VyaXR5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQKEwRJU0NBMQswCQYDVQQGEwJLWg==',
    'serialNumber': 'MgQS30wvsQLzmAyqdrphCuYshJI='
}
           Staging is updated, and production changes are waiting, so Firefox can use                                                                                                                                                                           compare.py:110
           Remote Settings DevTools (https://github.com/mozilla-extensions/remote-settings-devtools)
           and cert-storage-inspector (https://github.com/mozkeeler/cert-storage-inspector) to test
           OneCRL.

The CA Certificate is now included in OneCRL, and this bug can now be closed.

Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: