The default bug view has changed. See this FAQ.

Investigate *.google.com certificate issued by DigiNotar and used by Iran government?

RESOLVED DUPLICATE of bug 682927

Status

mozilla.org
CA Certificates
RESOLVED DUPLICATE of bug 682927
6 years ago
6 years ago

People

(Reporter: Paul van Brouwershaven, Assigned: Kathleen Wilson)

Tracking

Details

(URL)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 556662 [details]
fake_certificate_base64.cer

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.215 Safari/535.1

Steps to reproduce:

I would like to request your attention for the following thread in Google help forum:

http://www.google.co.uk/support/forum/p/gmail/thread?tid=2da6158b094b225a&hl=en

This mentions a certificate for *.google.com (serial 05:e2:e6:a4:cd:09:ea:54:d6:65:b0:75:fe:22:a2:56) issued by DigiNotar and used by Iran government?

More details:
http://pastebin.com/ff7Yg663

Comment 1

6 years ago
Triaging.  Already known by the right people at Mozilla; see bug 681902 comment 6, which references "the current DigiNotar incident".  Setting appropriate product/component, confirming, marking dupme in the hopes that a bug already exists for this.
Assignee: nobody → kwilson
Status: UNCONFIRMED → NEW
Component: General → CA Certificates
Ever confirmed: true
OS: Mac OS X → All
Product: Core → mozilla.org
QA Contact: general → ca-certificates
Hardware: x86 → All
Whiteboard: dupme
Version: unspecified → other
(Assignee)

Comment 2

6 years ago
This is being urgently worked through according to Mozilla's Security Bugs Policy:
http://www.mozilla.org/projects/security/security-bugs-policy.html

Mozilla will be providing more information soon. I'll post an update here when available.

Comment 3

6 years ago
(In reply to Kathleen Wilson from comment #2)
> This is being urgently worked through according to Mozilla's Security Bugs
> Policy:
> http://www.mozilla.org/projects/security/security-bugs-policy.html
> 
> Mozilla will be providing more information soon. I'll post an update here
> when available.

Given that this incident already appears publically known in numerous reports, does any reason exist to keep the original bug private at this point?

Also, regardless of when it becomes public, could you provide the appropriate bug number?  (Also wondering whether I can mark a bug as a duplicate of a bug I can't see. :) )
(Assignee)

Comment 4

6 years ago
> Given that this incident already appears publically known in numerous
> reports, does any reason exist to keep the original bug private at this
> point?

That bug is intended for use by the technical team involved in identifying and implementing a solution for Firefox. It is not intended to be used as communication from Mozilla about what action Mozilla is taking.  That communication is also in progress and will be released as soon as possible.


> Also, regardless of when it becomes public, could you provide the
> appropriate bug number?  (Also wondering whether I can mark a bug as a
> duplicate of a bug I can't see. :) )

Actually, for the time being I think it's worthwhile to keep this bug open, so I can post updates into it as they become available.
Whiteboard: dupme → DUPEME
Kathleen, you can post updates here even if this bug is resolved, no?

Comment 6

6 years ago
(In reply to Kathleen Wilson from comment #4)
> > Given that this incident already appears publically known in numerous
> > reports, does any reason exist to keep the original bug private at this
> > point?
> 
> That bug is intended for use by the technical team involved in identifying
> and implementing a solution for Firefox. It is not intended to be used as
> communication from Mozilla about what action Mozilla is taking.  That
> communication is also in progress and will be released as soon as possible.

That's a very diplomatic answer; very well.

> > Also, regardless of when it becomes public, could you provide the
> > appropriate bug number?  (Also wondering whether I can mark a bug as a
> > duplicate of a bug I can't see. :) )
> 
> Actually, for the time being I think it's worthwhile to keep this bug open,
> so I can post updates into it as they become available.

OK, if any other bugs show up I'll dupe them to this one for now.  Removing DUPEME for now, so this bug doesn't accidentally get marked as a dupe of one of the others instead.

Thanks for the fast response.
Whiteboard: DUPEME
(Assignee)

Comment 7

6 years ago
> OK, if any other bugs show up I'll dupe them to this one for now.  

Yes, please do. 

Thanks.
(Assignee)

Comment 8

6 years ago
Please see:
http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/

More info and updates to Mozilla products coming soon.
(Reporter)

Comment 9

6 years ago
DigiNotar has also the possiblity to issue certificates on the "DigiNotar PKIoverheid CA Overheid en Bedrijven" -> "Staat der Nederlanden Overheid CA" -> "Staat der Nederlanden Root CA", is there know if this root is also been compromised?

A certificate issued by this root can be found at: https://www.digid.nl/
(Assignee)

Comment 10

6 years ago
It is my understanding that the patches that are being created will blacklist all DigiNotar-issued certificates based on "CN=DigiNotar " in the certificate issuer.

Comment 11

6 years ago
As of 9:26pm PDT this bug report has made the frontpage of slashdot.org

http://tech.slashdot.org/story/11/08/30/0253254/Another-CA-Issues-False-Certificates-To-Iran

Please address this issue immediately.
John, the issue has been being addressed pretty continuously since about 9 hours ago.

You can download some builds with possible fixes at https://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/bzbarsky@mozilla.com-2befb08d74b1/ and https://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/bsmith@mozilla.com-a598c12afa89/ (the latter once the build machines finish).
(Reporter)

Comment 13

6 years ago
@Kathleen Vasco Security owner of DigiNotar states in a Dutch article that the revocation would have no impact for the "DigiNotar PKIoverheid CA Overheid en Bedrijven".

http://tweakers.net/nieuws/76445/browsermakers-geven-nieuwe-versies-uit-na-diginotar-blunder.html

This would be strange as both the root and the intermediate are operated by the same company.

Are you sure that all certificates with "CN=DigiNotar " will be blacklisted, including the intermediate certificates they control?
(Reporter)

Comment 14

6 years ago
Created attachment 556786 [details]
Root untrusted in test build

Tested the new build, both the DigiNotar and the DigiNotar PKIoverheid CA Overheid en Bedrijven are now untrusted. (see attachment)
Note: this bug is not up to date with the current state of affairs, and the patch mentioned in comment #14 is not the patch we are going to be shipping, nor is the algorithm mentioned in comment #10 the algorithm it uses.

We are on the case; don't worry :-)

Gerv
(Reporter)

Comment 16

6 years ago
@Grev, could you please provide some more information?

Does this mean Mozilla still have some trust in DigiNotar and let them use there Intermediate "DigiNotar PKIoverheid CA Overheid en Bedrijven" under "Staat der Nederlanden Overheid CA"?
The current patch we have checked in dis-trusts everything issued by the DigiNotar Root CA, but does not dis-trust certificates issued by DigiNotar as part of the Staat der Nederlanden PKI (PKIoverheid), which chain up to a different root.

Mozilla's reasons for making this distinction will be made clear soon.

Gerv

Comment 18

6 years ago
The patch is here, for those who are interested:

http://hg.mozilla.org/releases/mozilla-release/rev/43636529bf9d

Parts 1 and 2, which distrust the "DigiNotar Root CA" and remove the EV bits, are here:

http://hg.mozilla.org/releases/mozilla-release/rev/b5f28acb61c0
http://hg.mozilla.org/releases/mozilla-release/rev/1cb931c6824a

Comment 19

6 years ago
(In reply to Gervase Markham [:gerv] from comment #17)
> The current patch we have checked in dis-trusts everything issued by the
> DigiNotar Root CA, but does not dis-trust certificates issued by DigiNotar
> as part of the Staat der Nederlanden PKI (PKIoverheid), which chain up to a
> different root.
> 
> Mozilla's reasons for making this distinction will be made clear soon.

The reason hasn't been made clear as far as I know yet, could you post or link to an explanation?

-andy
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 682927
Status: RESOLVED → UNCONFIRMED
Ever confirmed: false
Resolution: DUPLICATE → ---
Status: UNCONFIRMED → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 682927
You need to log in before you can comment on or make changes to this bug.