Last Comment Bug 682956 - Investigate *.google.com certificate issued by DigiNotar and used by Iran government?
: Investigate *.google.com certificate issued by DigiNotar and used by Iran gov...
Status: RESOLVED DUPLICATE of bug 682927
:
Product: mozilla.org
Classification: Other
Component: CA Certificates (show other bugs)
: other
: All All
: -- normal with 1 vote (vote)
: ---
Assigned To: Kathleen Wilson
:
:
Mentors:
http://pastebin.com/SwCZqskV
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-08-29 13:34 PDT by Paul van Brouwershaven
Modified: 2011-08-31 11:43 PDT (History)
18 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
fake_certificate_base64.cer (1.84 KB, application/octet-stream)
2011-08-29 13:34 PDT, Paul van Brouwershaven
no flags Details
Root untrusted in test build (61.07 KB, image/jpeg)
2011-08-30 02:34 PDT, Paul van Brouwershaven
no flags Details

Description Paul van Brouwershaven 2011-08-29 13:34:27 PDT
Created attachment 556662 [details]
fake_certificate_base64.cer

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.215 Safari/535.1

Steps to reproduce:

I would like to request your attention for the following thread in Google help forum:

http://www.google.co.uk/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl=en

This mentions a certificate for *.google.com (serial 05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56) issued by DigiNotar and used by Iran government?

More details:
http://pastebin.com/ff7Yg663
Comment 1 Josh Triplett 2011-08-29 13:42:49 PDT
Triaging.  Already known by the right people at Mozilla; see bug 681902 comment 6, which references "the current DigiNotar incident".  Setting appropriate product/component, confirming, marking dupme in the hopes that a bug already exists for this.
Comment 2 Kathleen Wilson 2011-08-29 13:50:37 PDT
This is being urgently worked through according to Mozilla's Security Bugs Policy:
http://www.mozilla.org/projects/security/security-bugs-policy.html

Mozilla will be providing more information soon. I'll post an update here when available.
Comment 3 Josh Triplett 2011-08-29 13:53:36 PDT
(In reply to Kathleen Wilson from comment #2)
> This is being urgently worked through according to Mozilla's Security Bugs
> Policy:
> http://www.mozilla.org/projects/security/security-bugs-policy.html
> 
> Mozilla will be providing more information soon. I'll post an update here
> when available.

Given that this incident already appears publically known in numerous reports, does any reason exist to keep the original bug private at this point?

Also, regardless of when it becomes public, could you provide the appropriate bug number?  (Also wondering whether I can mark a bug as a duplicate of a bug I can't see. :) )
Comment 4 Kathleen Wilson 2011-08-29 14:16:14 PDT
> Given that this incident already appears publically known in numerous
> reports, does any reason exist to keep the original bug private at this
> point?

That bug is intended for use by the technical team involved in identifying and implementing a solution for Firefox. It is not intended to be used as communication from Mozilla about what action Mozilla is taking.  That communication is also in progress and will be released as soon as possible.


> Also, regardless of when it becomes public, could you provide the
> appropriate bug number?  (Also wondering whether I can mark a bug as a
> duplicate of a bug I can't see. :) )

Actually, for the time being I think it's worthwhile to keep this bug open, so I can post updates into it as they become available.
Comment 5 Boris Zbarsky [:bz] (still a bit busy) 2011-08-29 14:19:36 PDT
Kathleen, you can post updates here even if this bug is resolved, no?
Comment 6 Josh Triplett 2011-08-29 14:25:29 PDT
(In reply to Kathleen Wilson from comment #4)
> > Given that this incident already appears publically known in numerous
> > reports, does any reason exist to keep the original bug private at this
> > point?
> 
> That bug is intended for use by the technical team involved in identifying
> and implementing a solution for Firefox. It is not intended to be used as
> communication from Mozilla about what action Mozilla is taking.  That
> communication is also in progress and will be released as soon as possible.

That's a very diplomatic answer; very well.

> > Also, regardless of when it becomes public, could you provide the
> > appropriate bug number?  (Also wondering whether I can mark a bug as a
> > duplicate of a bug I can't see. :) )
> 
> Actually, for the time being I think it's worthwhile to keep this bug open,
> so I can post updates into it as they become available.

OK, if any other bugs show up I'll dupe them to this one for now.  Removing DUPEME for now, so this bug doesn't accidentally get marked as a dupe of one of the others instead.

Thanks for the fast response.
Comment 7 Kathleen Wilson 2011-08-29 14:30:17 PDT
> OK, if any other bugs show up I'll dupe them to this one for now.  

Yes, please do. 

Thanks.
Comment 8 Kathleen Wilson 2011-08-29 15:19:08 PDT
Please see:
http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/

More info and updates to Mozilla products coming soon.
Comment 9 Paul van Brouwershaven 2011-08-29 15:34:31 PDT
DigiNotar has also the possiblity to issue certificates on the "DigiNotar PKIoverheid CA Overheid en Bedrijven" -> "Staat der Nederlanden Overheid CA" -> "Staat der Nederlanden Root CA", is there know if this root is also been compromised?

A certificate issued by this root can be found at: https://www.digid.nl/
Comment 10 Kathleen Wilson 2011-08-29 16:38:27 PDT
It is my understanding that the patches that are being created will blacklist all DigiNotar-issued certificates based on "CN=DigiNotar " in the certificate issuer.
Comment 11 John Kernighan 2011-08-29 21:27:41 PDT
As of 9:26pm PDT this bug report has made the frontpage of slashdot.org

http://tech.slashdot.org/story/11/08/30/0253254/Another-CA-Issues-False-Certificates-To-Iran

Please address this issue immediately.
Comment 12 Boris Zbarsky [:bz] (still a bit busy) 2011-08-29 21:36:30 PDT
John, the issue has been being addressed pretty continuously since about 9 hours ago.

You can download some builds with possible fixes at https://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/bzbarsky@mozilla.com-2befb08d74b1/ and https://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/bsmith@mozilla.com-a598c12afa89/ (the latter once the build machines finish).
Comment 13 Paul van Brouwershaven 2011-08-30 00:45:09 PDT
@Kathleen Vasco Security owner of DigiNotar states in a Dutch article that the revocation would have no impact for the "DigiNotar PKIoverheid CA Overheid en Bedrijven".

http://tweakers.net/nieuws/76445/browsermakers-geven-nieuwe-versies-uit-na-diginotar-blunder.html

This would be strange as both the root and the intermediate are operated by the same company.

Are you sure that all certificates with "CN=DigiNotar " will be blacklisted, including the intermediate certificates they control?
Comment 14 Paul van Brouwershaven 2011-08-30 02:34:20 PDT
Created attachment 556786 [details]
Root untrusted in test build

Tested the new build, both the DigiNotar and the DigiNotar PKIoverheid CA Overheid en Bedrijven are now untrusted. (see attachment)
Comment 15 Gervase Markham [:gerv] 2011-08-30 08:03:18 PDT
Note: this bug is not up to date with the current state of affairs, and the patch mentioned in comment #14 is not the patch we are going to be shipping, nor is the algorithm mentioned in comment #10 the algorithm it uses.

We are on the case; don't worry :-)

Gerv
Comment 16 Paul van Brouwershaven 2011-08-30 08:07:10 PDT
@Grev, could you please provide some more information?

Does this mean Mozilla still have some trust in DigiNotar and let them use there Intermediate "DigiNotar PKIoverheid CA Overheid en Bedrijven" under "Staat der Nederlanden Overheid CA"?
Comment 17 Gervase Markham [:gerv] 2011-08-30 08:13:20 PDT
The current patch we have checked in dis-trusts everything issued by the DigiNotar Root CA, but does not dis-trust certificates issued by DigiNotar as part of the Staat der Nederlanden PKI (PKIoverheid), which chain up to a different root.

Mozilla's reasons for making this distinction will be made clear soon.

Gerv
Comment 18 Kaspar Brand 2011-08-30 11:54:54 PDT
The patch is here, for those who are interested:

http://hg.mozilla.org/releases/mozilla-release/rev/43636529bf9d

Parts 1 and 2, which distrust the "DigiNotar Root CA" and remove the EV bits, are here:

http://hg.mozilla.org/releases/mozilla-release/rev/b5f28acb61c0
http://hg.mozilla.org/releases/mozilla-release/rev/1cb931c6824a
Comment 19 Andy Isaacson 2011-08-30 22:44:45 PDT
(In reply to Gervase Markham [:gerv] from comment #17)
> The current patch we have checked in dis-trusts everything issued by the
> DigiNotar Root CA, but does not dis-trust certificates issued by DigiNotar
> as part of the Staat der Nederlanden PKI (PKIoverheid), which chain up to a
> different root.
> 
> Mozilla's reasons for making this distinction will be made clear soon.

The reason hasn't been made clear as far as I know yet, could you post or link to an explanation?

-andy
Comment 20 Reed Loden [:reed] (use needinfo?) 2011-08-30 22:49:04 PDT

*** This bug has been marked as a duplicate of bug 682927 ***
Comment 21 :Gavin Sharp [email: gavin@gavinsharp.com] 2011-08-31 11:43:35 PDT

*** This bug has been marked as a duplicate of bug 682927 ***

Note You need to log in before you can comment on or make changes to this bug.