add another Kazakhstan MITM root to OneCRL (September 2024)
Categories
(Core :: Security Block-lists, Allow-lists, and other State, task, P1)
Tracking
()
People
(Reporter: keeler, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [ca-onecrl])
Attachments
(1 file)
|
2.14 KB,
text/plain
|
Details |
Looks like they regenerated it again.
|
||
Comment 2•1 year ago
|
||
Copying my notes from duplicate Bug 1920163.
serial number 6c47089c34a88e43dde0dee30661558da9cb2e70
subject /C=KZ/O=ISCA/CN=Information Security Certification Authority
not before 2020-02-28T07:04:41Z
not after 2050-02-28T07:04:41Z
sha1 hash BFD7F531ECA8E3D65B4738167B160B7A95A8D894
sha256 hash 235150DE7DF7DB2E538D461BC4D210C4E0819BE2C4C76969476E3CBE67B723DD
This is the certificate I see today if I download from https://isca.gov.kz/Information_Security_Certification_Authority_CA_pem.crt. There's a Wayback Machine archive at https://web.archive.org/web/20240920170448id_/https://isca.gov.kz/Information_Security_Certification_Authority_CA_pem.crt. The next most recent archive, 20240615065532, is Bug #1879046.
However, when I visit https://check.isca.gov.kz/ today, the intermediate certificate I get has
X509v3 Authority Key Identifier:
keyid:C5:1D:32:70:96:8C:19:99:7C:F2:E4:E3:B9:77:08:EF:E2:76:F3:18
DirName:/CN=Information Security Certification Authority/O=ISCA/C=KZ
serial:45:1D:32:70:96:8C:19:99:7C:F2:E4:E3:B9:77:08:EF:E2:76:F3:18
where the serial number matches not the attached root certificate, but the root certificate in Bug #1864724.
I was moved to check this today as a result of a new report by OONI, Internet Freedom Kazakhstan (IFKZ), and Eurasian Digital Foundation that finds instances of Kazakhstan MITM since 2021 in Internet measurement data and documents different intermediate certificates that have been seen. Other external discussion: https://github.com/net4people/bbs/issues/339#issuecomment-2364261946.
I do not find this certificate with sha256 fingerprint 235150DE7DF7DB2E538D461BC4D210C4E0819BE2C4C76969476E3CBE67B723DD at https://crt.sh/.
|
|
||
Comment 3•1 year ago
|
||
The next most recent archive
According to the HTTP Last-Modified and ETag headers, this 235150DE... certificate became available for download about 7.5 hours ago, at 2024-09-20 10:07:01.
$ curl -I https://isca.gov.kz/Information_Security_Certification_Authority_CA_pem.crt
HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Fri, 20 Sep 2024 19:28:52 GMT
Content-Type: application/x-x509-ca-cert
Content-Length: 2194
Connection: keep-alive
Strict-Transport-Security: max-age=63072000; includeSubDomains
Content-Disposition: attachment; filename=Information_Security_Certification_Authority_CA_pem.crt
Last-Modified: Fri, 20 Sep 2024 10:07:01 GMT
Cache-Control: public, max-age=43200
Expires: Sat, 21 Sep 2024 07:28:52 GMT
ETag: "1726826821.7468333-2194-2860391182"
Strict-Transport-Security:: max-age=63072000
Set-Cookie: cookiesession1=678B286AED4632697C6B1AC68F0A4207;Expires=Sat, 20 Sep 2025 19:28:52 GMT;Path=/;HttpOnly
|
||
Comment 4•1 year ago
|
||
Here is the information to be added to OneCRL:
{
"issuerName": "MFMxNTAzBgNVBAMTLEluZm9ybWF0aW9uIFNlY3VyaXR5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQKEwRJU0NBMQswCQYDVQQGEwJLWg==",
"serialNumber": "bEcInDSojkPd4N7jBmFVjanLLnA=",
"enabled": true,
"details": {
"who": "",
"created": "",
"bug": "1920157",
"name": "",
"why": ""
}
}
|
|
||
Comment 5•1 year ago
|
||
Here is the crt.sh CA record - https://crt.sh/?id=14682080594
|
Reporter | |
Comment 6•1 year ago
|
||
That looks correct to me. I've approved it in stage - can you add it to prod?
|
|
||
Comment 7•1 year ago
|
||
This is now in OneCRL.
Description
•