Closed Bug 471586 Opened 15 years ago Closed 15 years ago

block rogue CA certificate announced at 25c3

Categories

(CA Program :: CA Certificate Root Program, task)

task
Not set
major

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: phr-mozilla, Assigned: hecker)

References

Details

(Keywords: fixed1.9.0.6, fixed1.9.1)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008121622 Fedora/3.0.5-1.fc10 Firefox/3.0.5
Build Identifier: 

See: http://www.win.tue.nl/hashclash/rogue-ca/

Researchers announce a forged CA certificate that works in most browsers.  The exploit is based on finding free collisions in the md5 hash function as announced in 2004.  Several installed root CA's still rely on md5.  The attack is to create two CSR's with the same md5, one of which is for a normal certificate and the other of which is for a CA certificate.  They submit the normal CSR to one of the existing CA's and obtain a signature that now works on their other CSR.  The result is they now have a CA certificate chained to and signed by the existing CA root.  This attack is too compute intensive for a traditional attacker with a bunch of PC's, but is within reach of a large organization or a botnet.  It looks to me like existing CA's still relying on md5 should be phased out quickly.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Dupe of bug 471539?
Yes, a dupe, I had looked for one first but I guess not for the right keywords.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
In bug 471715, Dan Veditz asked that we add a cert to NSS's built-in list 
of certs, for the purpose of blocking/denying use of certs issued by the 
rogue CA cert.  I think that's potentially a CA Certificate Policy question
so I'm reopening this bug as the vehicle by which to ask Frank if we want 
to do that.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Summary: rogue CA certificate announced at 25c3 → block rogue CA certificate announced at 25c3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Frank: what say you? If we're going to get this into the next Firefox release we need to decide quickly. Code freeze is nominally tomorrow although this could probably go in a little later.
OK, here's what I understand:

1. The intent here is to block any possibility that NSS-based products (Firefox et.al.) would recognize as valid any certificates that might happen to be issued by the forged CA certificate created as part of the MD5 attack.

2. The forged CA certificate would not normally be recognized in any case because it is expired, but (per bug 471539) there is at least a possibility that that protection might not be effective due to mis-configured systems, an attack on NTP, or other scenarios where system time might be set to a date in the past. The proposed patch eliminates this possibility.

3. Adding the Nelson-created cert to the root list (per bug 471715) would block recognition of certs issued under the forged CA cert, but would *not* affect recognition of existing certificates issued under the original CA cert (i.e., the one that was the target of the forgery) and in current use on the web.

If I've understood the above points right (especially point 3) then I'm OK with Nelson proceeding with the change proposed in bug 471715. However if making this change will cause legitimately-issued already-in-use end-entity certs to fail, then I think we need to discuss this a bit more.
One more comment to clarify a point I addressed in an email to dveditz: My item 3 in comment #5 above was in reference to the possibility that adding the Nelson-created cert would cause large numbers of existing certs not to work, e.g., all the certs issued by a particular CA, or a large fraction of them. According to dveditz this is not the case; at most there would be only one already-issued cert that might be affected. I don't see that as an issue, so I'm just reiterating my approval of the change.
bug 471715 has been fixed on trunk and branches
Status: NEW → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.