Last Comment Bug 683449 - Remove the exemptions for the Staat der Nederlanden root
: Remove the exemptions for the Staat der Nederlanden root
Status: VERIFIED FIXED
[qa+]
: verified-beta, verified1.9.2
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: unspecified
: All All
-- blocker with 1 vote (vote)
: mozilla9
Assigned To: :Ehsan Akhgari
:
: David Keeler [:keeler] (use needinfo?)
Mentors:
: 684747 (view as bug list)
Depends on:
Blocks: 682927
  Show dependency treegraph
 
Reported: 2011-08-31 01:51 PDT by Gervase Markham [:gerv]
Modified: 2012-03-17 18:48 PDT (History)
38 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.2-fixed
fixed
fixed
fixed
.22-fixed


Attachments
Patch (v1) (1.27 KB, patch)
2011-08-31 07:14 PDT, :Ehsan Akhgari
kaie: review+
Details | Diff | Splinter Review
WIP - Allow Staat der Nederlanden Root CA - G2 Root (1.42 KB, patch)
2011-08-31 07:14 PDT, Brian Smith (:briansmith, :bsmith, use NEEDINFO?)
no flags Details | Diff | Splinter Review

Description User image Gervase Markham [:gerv] 2011-08-31 01:51:01 PDT
It turns out that there are two Staat der Nederlanden roots in our root store, and our patch only exempts one of them from the DigiNotar block :-(( This means that a number of websites whose certs do not chain up to the dis-trusted DigiNotar root are nevertheless having their certificates viewed as untrusted. I'm not sure how many sites this is.

The roots are:
Staat der Nederlanden Root CA
  (successfully exempted)
Staat der Nederlanden Root CA - G2
  (accidentally included)

The line of code is this one:

if (!strcmp(node->cert->issuerName,
    "CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") ...

This check needs to include both the names above.

Test site:
https://sha2.diginotar.nl/

Gerv
Comment 1 User image Mark Janssen 2011-08-31 03:09:49 PDT
Some more websites:
https://g2test.logius.nl/
https://steenwijkerland.bim.mijnbezwaar.nl/

Let me know if you need more.
Comment 2 User image Mark Janssen 2011-08-31 03:38:46 PDT
Again more sites:
https://secure.valkenswaard.nl/
https://www8.eindhoven.nl/

Thanks
Comment 3 User image Gervase Markham [:gerv] 2011-08-31 03:46:09 PDT
This bug cannot progress until the right people wake up. If we decide to issue a further update, the turnaround time is about 24 hours.

Gerv
Comment 4 User image :Ehsan Akhgari 2011-08-31 07:12:26 PDT
I think I may have a patch.
Comment 5 User image :Ehsan Akhgari 2011-08-31 07:14:19 PDT
Created attachment 557158 [details] [diff] [review]
Patch (v1)
Comment 6 User image Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-08-31 07:14:34 PDT
Created attachment 557159 [details] [diff] [review]
WIP - Allow Staat der Nederlanden Root CA - G2 Root

This is still building on my machine.
Comment 7 User image :Ehsan Akhgari 2011-08-31 07:16:25 PDT
(In reply to Brian Smith (:bsmith) from comment #6)
> Created attachment 557159 [details] [diff] [review]
> WIP - Allow Staat der Nederlanden Root CA - G2 Root
> 
> This is still building on my machine.

Same here!
Comment 8 User image Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-08-31 07:24:12 PDT
Comment on attachment 557159 [details] [diff] [review]
WIP - Allow Staat der Nederlanden Root CA - G2 Root

Will use Ehsan's patch, which I will r+ as soon as it finishes building on my machine and I can test it.
Comment 9 User image Kai Engert (:kaie) 2011-08-31 07:26:01 PDT
Comment on attachment 557158 [details] [diff] [review]
Patch (v1)

If the Dutch gov insists on this, and Mozilla decides to concur, I'm fine with this code change.
r=kaie
Comment 10 User image :Ehsan Akhgari 2011-08-31 07:38:10 PDT
Just verified locally that the fix is working for all of the test websites.
Comment 12 User image :Ehsan Akhgari 2011-08-31 07:46:21 PDT
I landed it on aurora, beta and 1.9.2 (not the relbranch) with johnath's verbal approval:

http://hg.mozilla.org/releases/mozilla-1.9.2/rev/72fd28e61b47
http://hg.mozilla.org/releases/mozilla-aurora/rev/ba929aa09503
http://hg.mozilla.org/releases/mozilla-beta/rev/6791db28b82f
Comment 13 User image Johnathan Nightingale [:johnath] 2011-08-31 07:58:03 PDT
(Confirming that this has any approval flags ehsan needs it to have - a=me)
Comment 14 User image Wan-Teh Chang 2011-08-31 15:16:52 PDT
Comment on attachment 557158 [details] [diff] [review]
Patch (v1)

>     // By request of the Dutch government

I suggest this comment be reworded.  This comment
implies we yielded to government pressure.  I doubt
that's the case.

How about something like "Staat der Nederlanden Root CA
certified their subordinate DigiNotar CAs were good"?
If it turns out their subordinate DigiNotar CAs were
also attacked, then that'll be reason to remove the
trust for Staat der Nederlanden Root CA.

Similarly, we should ask each of the root CA that
has a subordinate DigiNotar CA to either certify
or revoke the subordinate DigiNotar CA.  This is a
good test for the trustworthiness of the root CAs.
Comment 15 User image Eddy Nigg (StartCom) 2011-08-31 15:49:43 PDT
(In reply to Wan-Teh Chang from comment #14)
> How about something like "Staat der Nederlanden Root CA
> certified their subordinate DigiNotar CAs were good"?

Sshhh, but does that really matter? This is effectively and right now used as revolving door by DigiNotar. I suggest to A) review this decision, B) check your procedures for such incidences, C) perhaps consult with the Mozilla CA Policy.

It does look very bad in my opinion and it appears to contradict the decision to remove this root.
Comment 16 User image Daniel Cater 2011-08-31 16:22:02 PDT
(In reply to Wan-Teh Chang from comment #14)
> Comment on attachment 557158 [details] [diff] [review]
> Patch (v1)
> 
> >     // By request of the Dutch government
> 
> I suggest this comment be reworded.  This comment
> implies we yielded to government pressure.  I doubt
> that's the case.

Can someone please blog on the Mozilla Security Blog explaining this part of the situation? How it came about, what has been excepted and what effect it has only people visiting sites that are part of this exception. Thank you.
Comment 17 User image Gervase Markham [:gerv] 2011-09-01 03:48:26 PDT
Mozilla believes that the exemption for certificates under Staat der Nederlanden roots is justified, and it is in line with what other browsers are doing (which used different technical measures which made an exception unnecessary). We will be posting on the security blog soon with a fuller explanation of this. The comment in the source code is not the full story.

Gerv
Comment 18 User image Eddy Nigg (StartCom) 2011-09-01 04:00:35 PDT
An explanation would be certainly helpful, thanks.
Comment 20 User image Reed Loden [:reed] (use needinfo?) 2011-09-02 11:55:49 PDT
Considering the patch that landed is actually completely different than what this bug was about, I'm updating the summary and such to reflect that. It would be nice to get the actual patch added as an attachment here.
Comment 21 User image :Ehsan Akhgari 2011-09-02 12:02:20 PDT
Also: http://hg.mozilla.org/mozilla-central/rev/5319db188180
Comment 26 User image Edwin Martin 2011-09-02 16:23:08 PDT
In a conference of the Dutch government held right now, they also give up trust in their certificates and they expect the browsers to follow.
Comment 27 User image Matt Evans [:mevans] 2011-09-03 15:32:05 PDT
Could someone on this bug either indicate what verification steps should be done to verify or even better go ahead and verify yourself. TIA!
Comment 28 User image Geo Mealer [:geo] -- This account is inactive after 2015-07-07 2011-09-04 18:17:55 PDT
Seconding Matt, QA would like to verify this behavior before signing off, but it's unclear how we should be doing it. Any hints would be appreciated.
Comment 29 User image Gervase Markham [:gerv] 2011-09-05 02:45:42 PDT
The following sites should work before the patch, and not after:

Staat der Nederlanden Root CA - G2 via Diginotar PKIOverheid CA Organisatie - G2: 
  https://belastingbalie.eindhoven.nl/ (Issued: 4th Feb 2011)

Staat der Nederlanden Root CA via Diginotar PKIoverheid CA Overheid en Bedrijven:
  https://www.nifpnet.nl/ (Issued 12th May 2011)

I _think_ you should expect to see an overrideable "cert_not_trusted" error.

Gerv
Comment 30 User image Vlad [QA] 2011-09-05 07:07:25 PDT
Setting resolution to Verified Fixed on Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

Both sites from comment29 are now showing the "Untrusted Connection Page"
The error is displayed under technical details: "The certificate is not trusted because the issuer certificate is unknown.Error code: sec_error_unknown_issuer)

The same behavior applies on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Comment 31 User image Henrik Skupin (:whimboo) [away 02/18 - 02/27] 2011-09-05 07:20:12 PDT
This bug needs to be verified against all the branches marked above as fixed. The Verified state is also for trunk and not 6.0.2 as what you have used for testing. Please test at least across 3.6.22 build 2, 6.0.2 build 2, and 7.0b4#2.
Comment 32 User image juan becerra [:juanb] 2011-09-05 12:42:40 PDT
I've verified this against 3.6.22(build2), 6.0.2(build2), 7.0b4(build2), and latest Nightly using Windows XP or Mac. The first url in comment #29 is now using a certificate, issued on 9/5, by a different certificate authority so there is no error. This is to be expected. The second url is untrusted but overridable.
Comment 33 User image Dave Garrett 2011-09-05 14:33:24 PDT
*** Bug 684747 has been marked as a duplicate of this bug. ***
Comment 34 User image Tan Wei Lin Jason [:Ryuji] 2011-09-07 07:42:44 PDT
(In reply to Vlad [QA] from comment #30)
> Setting resolution to Verified Fixed on Mozilla/5.0 (Windows NT 6.1;
> rv:6.0.2) Gecko/20100101 Firefox/6.0.2
> 
> Both sites from comment29 are now showing the "Untrusted Connection Page"
> The error is displayed under technical details: "The certificate is not
> trusted because the issuer certificate is unknown.Error code:
> sec_error_unknown_issuer)
> 
> The same behavior applies on:
> Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20100101
> Firefox/6.0.2
> Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
> Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

But I still can go into their website even in Firefox 6.0.2
For both website I didn't get the " "Untrusted Connection Page" I did not get the error that is displayed under technical details: "The certificate is not trusted because the issuer certificate is unknown.Error code: sec_error_unknown_issuer)"
Comment 35 User image Henrik Skupin (:whimboo) [away 02/18 - 02/27] 2011-09-07 08:55:12 PDT
Because both websites have been issued new certificates meanwhile. Which means they are no valid testcases anymore.
Comment 36 User image juan becerra [:juanb] 2011-09-09 14:43:21 PDT
This needs to be verified on Aurora.
Comment 37 User image Erik Bosman 2011-09-09 15:52:18 PDT
(In reply to Henrik Skupin (:whimboo) from comment #35)
> Because both websites have been issued new certificates meanwhile. Which
> means they are no valid testcases anymore.

New testcase, the Dutch secret service still has a Diginotar cert!

Staat der Nederlanden Root CA via Diginotar PKIoverheid CA Overheid en Bedrijven:
https://www.aivd.nl/

Note You need to log in before you can comment on or make changes to this bug.