Closed Bug 683449 Opened 13 years ago Closed 13 years ago

Remove the exemptions for the Staat der Nederlanden root

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
blocker

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla9
Tracking Flags:
Tracking Status
firefox6 --- .2-fixed
firefox7 --- fixed
firefox8 --- fixed
firefox9 --- fixed
status1.9.2 --- .22-fixed

People

(Reporter: gerv, Assigned: ehsan.akhgari)

References

Details

(Keywords: verified-beta, verified1.9.2, Whiteboard: [qa+])

Attachments

(1 file, 1 obsolete file)

Patch (v1)
1.27 KB, patch
KaiE
: review+
Details | Diff | Splinter Review
It turns out that there are two Staat der Nederlanden roots in our root store, and our patch only exempts one of them from the DigiNotar block :-(( This means that a number of websites whose certs do not chain up to the dis-trusted DigiNotar root are nevertheless having their certificates viewed as untrusted. I'm not sure how many sites this is. The roots are: Staat der Nederlanden Root CA (successfully exempted) Staat der Nederlanden Root CA - G2 (accidentally included) The line of code is this one: if (!strcmp(node->cert->issuerName, "CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") ... This check needs to include both the names above. Test site: https://sha2.diginotar.nl/ Gerv
Some more websites: https://g2test.logius.nl/ https://steenwijkerland.bim.mijnbezwaar.nl/ Let me know if you need more.
This bug cannot progress until the right people wake up. If we decide to issue a further update, the turnaround time is about 24 hours. Gerv
Assignee: nobody → bsmith
I think I may have a patch.
Assignee: bsmith → ehsan
Attached patch Patch (v1)Splinter Review
Attachment #557158 - Flags: review?(rrelyea)
Attachment #557158 - Flags: review?(kaie)
Attachment #557158 - Flags: review?(dveditz)
Attachment #557158 - Flags: review?(bsmith)
This is still building on my machine.
Attachment #557159 - Flags: review?(kaie)
Attachment #557159 - Flags: review?(honzab.moz)
Attachment #557159 - Flags: review?(dveditz)
(In reply to Brian Smith (:bsmith) from comment #6) > Created attachment 557159 [details] [diff] [review] > WIP - Allow Staat der Nederlanden Root CA - G2 Root > > This is still building on my machine. Same here!
Comment on attachment 557159 [details] [diff] [review] WIP - Allow Staat der Nederlanden Root CA - G2 Root Will use Ehsan's patch, which I will r+ as soon as it finishes building on my machine and I can test it.
Attachment #557159 - Attachment is obsolete: true
Attachment #557159 - Flags: review?(kaie)
Attachment #557159 - Flags: review?(honzab.moz)
Attachment #557159 - Flags: review?(dveditz)
Blocks: 682927
Keywords: regression
Comment on attachment 557158 [details] [diff] [review] Patch (v1) If the Dutch gov insists on this, and Mozilla decides to concur, I'm fine with this code change. r=kaie
Attachment #557158 - Flags: review?(kaie) → review+
Just verified locally that the fix is working for all of the test websites.
http://hg.mozilla.org/mozilla-central/rev/e18dcb523b20
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Attachment #557158 - Flags: review?(rrelyea)
Attachment #557158 - Flags: review?(dveditz)
Attachment #557158 - Flags: review?(bsmith)
status-firefox9: --- → fixed
(Confirming that this has any approval flags ehsan needs it to have - a=me)
status1.9.2: .22-fixed → ---
status-firefox7: fixed → ---
status-firefox8: fixed → ---
status-firefox9: fixed → ---
status1.9.2: --- → .22-fixed
status-firefox7: --- → fixed
status-firefox8: --- → fixed
status-firefox9: --- → fixed
Comment on attachment 557158 [details] [diff] [review] Patch (v1) > // By request of the Dutch government I suggest this comment be reworded. This comment implies we yielded to government pressure. I doubt that's the case. How about something like "Staat der Nederlanden Root CA certified their subordinate DigiNotar CAs were good"? If it turns out their subordinate DigiNotar CAs were also attacked, then that'll be reason to remove the trust for Staat der Nederlanden Root CA. Similarly, we should ask each of the root CA that has a subordinate DigiNotar CA to either certify or revoke the subordinate DigiNotar CA. This is a good test for the trustworthiness of the root CAs.
(In reply to Wan-Teh Chang from comment #14) > How about something like "Staat der Nederlanden Root CA > certified their subordinate DigiNotar CAs were good"? Sshhh, but does that really matter? This is effectively and right now used as revolving door by DigiNotar. I suggest to A) review this decision, B) check your procedures for such incidences, C) perhaps consult with the Mozilla CA Policy. It does look very bad in my opinion and it appears to contradict the decision to remove this root.
(In reply to Wan-Teh Chang from comment #14) > Comment on attachment 557158 [details] [diff] [review] > Patch (v1) > > > // By request of the Dutch government > > I suggest this comment be reworded. This comment > implies we yielded to government pressure. I doubt > that's the case. Can someone please blog on the Mozilla Security Blog explaining this part of the situation? How it came about, what has been excepted and what effect it has only people visiting sites that are part of this exception. Thank you.
Mozilla believes that the exemption for certificates under Staat der Nederlanden roots is justified, and it is in line with what other browsers are doing (which used different technical measures which made an exception unnecessary). We will be posting on the security blog soon with a fuller explanation of this. The comment in the source code is not the full story. Gerv
An explanation would be certainly helpful, thanks.
Considering the patch that landed is actually completely different than what this bug was about, I'm updating the summary and such to reflect that. It would be nice to get the actual patch added as an attachment here.
Keywords: regression
Summary: DigiNotar patch erroneously blocks one of the two Staat der Nederlanden roots → Remove the exemptions for the Staat der Nederlanden root
status-firefox6: --- → .2-fixed
In a conference of the Dutch government held right now, they also give up trust in their certificates and they expect the browsers to follow.
status1.9.2: .22-fixed → ---
status-firefox6: .2-fixed → ---
Could someone on this bug either indicate what verification steps should be done to verify or even better go ahead and verify yourself. TIA!
Seconding Matt, QA would like to verify this behavior before signing off, but it's unclear how we should be doing it. Any hints would be appreciated.
The following sites should work before the patch, and not after: Staat der Nederlanden Root CA - G2 via Diginotar PKIOverheid CA Organisatie - G2: https://belastingbalie.eindhoven.nl/ (Issued: 4th Feb 2011) Staat der Nederlanden Root CA via Diginotar PKIoverheid CA Overheid en Bedrijven: https://www.nifpnet.nl/ (Issued 12th May 2011) I _think_ you should expect to see an overrideable "cert_not_trusted" error. Gerv
Setting resolution to Verified Fixed on Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Both sites from comment29 are now showing the "Untrusted Connection Page" The error is displayed under technical details: "The certificate is not trusted because the issuer certificate is unknown.Error code: sec_error_unknown_issuer) The same behavior applies on: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Status: RESOLVED → VERIFIED
This bug needs to be verified against all the branches marked above as fixed. The Verified state is also for trunk and not 6.0.2 as what you have used for testing. Please test at least across 3.6.22 build 2, 6.0.2 build 2, and 7.0b4#2.
Status: VERIFIED → RESOLVED
Closed: 13 years ago13 years ago
Component: CA Certificates → Security: PSM
Product: NSS → Core
QA Contact: root-certs → psm
Version: trunk → unspecified
I've verified this against 3.6.22(build2), 6.0.2(build2), 7.0b4(build2), and latest Nightly using Windows XP or Mac. The first url in comment #29 is now using a certificate, issued on 9/5, by a different certificate authority so there is no error. This is to be expected. The second url is untrusted but overridable.
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Target Milestone: --- → mozilla9
(In reply to Vlad [QA] from comment #30) > Setting resolution to Verified Fixed on Mozilla/5.0 (Windows NT 6.1; > rv:6.0.2) Gecko/20100101 Firefox/6.0.2 > > Both sites from comment29 are now showing the "Untrusted Connection Page" > The error is displayed under technical details: "The certificate is not > trusted because the issuer certificate is unknown.Error code: > sec_error_unknown_issuer) > > The same behavior applies on: > Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20100101 > Firefox/6.0.2 > Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 > Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 But I still can go into their website even in Firefox 6.0.2 For both website I didn't get the " "Untrusted Connection Page" I did not get the error that is displayed under technical details: "The certificate is not trusted because the issuer certificate is unknown.Error code: sec_error_unknown_issuer)"
Because both websites have been issued new certificates meanwhile. Which means they are no valid testcases anymore.
This needs to be verified on Aurora.
Whiteboard: [qa+]
(In reply to Henrik Skupin (:whimboo) from comment #35) > Because both websites have been issued new certificates meanwhile. Which > means they are no valid testcases anymore. New testcase, the Dutch secret service still has a Diginotar cert! Staat der Nederlanden Root CA via Diginotar PKIoverheid CA Overheid en Bedrijven: https://www.aivd.nl/
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: