Last Comment Bug 683449 - Remove the exemptions for the Staat der Nederlanden root
: Remove the exemptions for the Staat der Nederlanden root
Status: VERIFIED FIXED
[qa+]
: verified-beta, verified1.9.2
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: unspecified
: All All
: -- blocker with 1 vote (vote)
: mozilla9
Assigned To: :Ehsan Akhgari
:
: David Keeler [:keeler] (use needinfo?)
Mentors:
: 684747 (view as bug list)
Depends on:
Blocks: 682927
  Show dependency treegraph
 
Reported: 2011-08-31 01:51 PDT by Gervase Markham [:gerv]
Modified: 2012-03-17 18:48 PDT (History)
38 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.2-fixed
fixed
fixed
fixed
.22-fixed


Attachments
Patch (v1) (1.27 KB, patch)
2011-08-31 07:14 PDT, :Ehsan Akhgari
kaie: review+
Details | Diff | Splinter Review
WIP - Allow Staat der Nederlanden Root CA - G2 Root (1.42 KB, patch)
2011-08-31 07:14 PDT, Brian Smith (:briansmith, :bsmith, use NEEDINFO?)
no flags Details | Diff | Splinter Review

Description Gervase Markham [:gerv] 2011-08-31 01:51:01 PDT
It turns out that there are two Staat der Nederlanden roots in our root store, and our patch only exempts one of them from the DigiNotar block :-(( This means that a number of websites whose certs do not chain up to the dis-trusted DigiNotar root are nevertheless having their certificates viewed as untrusted. I'm not sure how many sites this is.

The roots are:
Staat der Nederlanden Root CA
  (successfully exempted)
Staat der Nederlanden Root CA - G2
  (accidentally included)

The line of code is this one:

if (!strcmp(node->cert->issuerName,
    "CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") ...

This check needs to include both the names above.

Test site:
https://sha2.diginotar.nl/

Gerv
Comment 1 Mark Janssen 2011-08-31 03:09:49 PDT
Some more websites:
https://g2test.logius.nl/
https://steenwijkerland.bim.mijnbezwaar.nl/

Let me know if you need more.
Comment 2 Mark Janssen 2011-08-31 03:38:46 PDT
Again more sites:
https://secure.valkenswaard.nl/
https://www8.eindhoven.nl/

Thanks
Comment 3 Gervase Markham [:gerv] 2011-08-31 03:46:09 PDT
This bug cannot progress until the right people wake up. If we decide to issue a further update, the turnaround time is about 24 hours.

Gerv
Comment 4 :Ehsan Akhgari 2011-08-31 07:12:26 PDT
I think I may have a patch.
Comment 5 :Ehsan Akhgari 2011-08-31 07:14:19 PDT
Created attachment 557158 [details] [diff] [review]
Patch (v1)
Comment 6 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-08-31 07:14:34 PDT
Created attachment 557159 [details] [diff] [review]
WIP - Allow Staat der Nederlanden Root CA - G2 Root

This is still building on my machine.
Comment 7 :Ehsan Akhgari 2011-08-31 07:16:25 PDT
(In reply to Brian Smith (:bsmith) from comment #6)
> Created attachment 557159 [details] [diff] [review]
> WIP - Allow Staat der Nederlanden Root CA - G2 Root
> 
> This is still building on my machine.

Same here!
Comment 8 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2011-08-31 07:24:12 PDT
Comment on attachment 557159 [details] [diff] [review]
WIP - Allow Staat der Nederlanden Root CA - G2 Root

Will use Ehsan's patch, which I will r+ as soon as it finishes building on my machine and I can test it.
Comment 9 Kai Engert (:kaie) (on vacation) 2011-08-31 07:26:01 PDT
Comment on attachment 557158 [details] [diff] [review]
Patch (v1)

If the Dutch gov insists on this, and Mozilla decides to concur, I'm fine with this code change.
r=kaie
Comment 10 :Ehsan Akhgari 2011-08-31 07:38:10 PDT
Just verified locally that the fix is working for all of the test websites.
Comment 12 :Ehsan Akhgari 2011-08-31 07:46:21 PDT
I landed it on aurora, beta and 1.9.2 (not the relbranch) with johnath's verbal approval:

http://hg.mozilla.org/releases/mozilla-1.9.2/rev/72fd28e61b47
http://hg.mozilla.org/releases/mozilla-aurora/rev/ba929aa09503
http://hg.mozilla.org/releases/mozilla-beta/rev/6791db28b82f
Comment 13 Johnathan Nightingale [:johnath] 2011-08-31 07:58:03 PDT
(Confirming that this has any approval flags ehsan needs it to have - a=me)
Comment 14 Wan-Teh Chang 2011-08-31 15:16:52 PDT
Comment on attachment 557158 [details] [diff] [review]
Patch (v1)

>     // By request of the Dutch government

I suggest this comment be reworded.  This comment
implies we yielded to government pressure.  I doubt
that's the case.

How about something like "Staat der Nederlanden Root CA
certified their subordinate DigiNotar CAs were good"?
If it turns out their subordinate DigiNotar CAs were
also attacked, then that'll be reason to remove the
trust for Staat der Nederlanden Root CA.

Similarly, we should ask each of the root CA that
has a subordinate DigiNotar CA to either certify
or revoke the subordinate DigiNotar CA.  This is a
good test for the trustworthiness of the root CAs.
Comment 15 Eddy Nigg (StartCom) 2011-08-31 15:49:43 PDT
(In reply to Wan-Teh Chang from comment #14)
> How about something like "Staat der Nederlanden Root CA
> certified their subordinate DigiNotar CAs were good"?

Sshhh, but does that really matter? This is effectively and right now used as revolving door by DigiNotar. I suggest to A) review this decision, B) check your procedures for such incidences, C) perhaps consult with the Mozilla CA Policy.

It does look very bad in my opinion and it appears to contradict the decision to remove this root.
Comment 16 Daniel Cater 2011-08-31 16:22:02 PDT
(In reply to Wan-Teh Chang from comment #14)
> Comment on attachment 557158 [details] [diff] [review]
> Patch (v1)
> 
> >     // By request of the Dutch government
> 
> I suggest this comment be reworded.  This comment
> implies we yielded to government pressure.  I doubt
> that's the case.

Can someone please blog on the Mozilla Security Blog explaining this part of the situation? How it came about, what has been excepted and what effect it has only people visiting sites that are part of this exception. Thank you.
Comment 17 Gervase Markham [:gerv] 2011-09-01 03:48:26 PDT
Mozilla believes that the exemption for certificates under Staat der Nederlanden roots is justified, and it is in line with what other browsers are doing (which used different technical measures which made an exception unnecessary). We will be posting on the security blog soon with a fuller explanation of this. The comment in the source code is not the full story.

Gerv
Comment 18 Eddy Nigg (StartCom) 2011-09-01 04:00:35 PDT
An explanation would be certainly helpful, thanks.
Comment 20 Reed Loden [:reed] (use needinfo?) 2011-09-02 11:55:49 PDT
Considering the patch that landed is actually completely different than what this bug was about, I'm updating the summary and such to reflect that. It would be nice to get the actual patch added as an attachment here.
Comment 21 :Ehsan Akhgari 2011-09-02 12:02:20 PDT
Also: http://hg.mozilla.org/mozilla-central/rev/5319db188180
Comment 26 Edwin Martin 2011-09-02 16:23:08 PDT
In a conference of the Dutch government held right now, they also give up trust in their certificates and they expect the browsers to follow.
Comment 27 Matt Evans [:mevans] 2011-09-03 15:32:05 PDT
Could someone on this bug either indicate what verification steps should be done to verify or even better go ahead and verify yourself. TIA!
Comment 28 Geo Mealer [:geo] -- This account is inactive after 2015-07-07 2011-09-04 18:17:55 PDT
Seconding Matt, QA would like to verify this behavior before signing off, but it's unclear how we should be doing it. Any hints would be appreciated.
Comment 29 Gervase Markham [:gerv] 2011-09-05 02:45:42 PDT
The following sites should work before the patch, and not after:

Staat der Nederlanden Root CA - G2 via Diginotar PKIOverheid CA Organisatie - G2: 
  https://belastingbalie.eindhoven.nl/ (Issued: 4th Feb 2011)

Staat der Nederlanden Root CA via Diginotar PKIoverheid CA Overheid en Bedrijven:
  https://www.nifpnet.nl/ (Issued 12th May 2011)

I _think_ you should expect to see an overrideable "cert_not_trusted" error.

Gerv
Comment 30 Vlad [QA] 2011-09-05 07:07:25 PDT
Setting resolution to Verified Fixed on Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

Both sites from comment29 are now showing the "Untrusted Connection Page"
The error is displayed under technical details: "The certificate is not trusted because the issuer certificate is unknown.Error code: sec_error_unknown_issuer)

The same behavior applies on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Comment 31 Henrik Skupin (:whimboo) 2011-09-05 07:20:12 PDT
This bug needs to be verified against all the branches marked above as fixed. The Verified state is also for trunk and not 6.0.2 as what you have used for testing. Please test at least across 3.6.22 build 2, 6.0.2 build 2, and 7.0b4#2.
Comment 32 juan becerra [:juanb] 2011-09-05 12:42:40 PDT
I've verified this against 3.6.22(build2), 6.0.2(build2), 7.0b4(build2), and latest Nightly using Windows XP or Mac. The first url in comment #29 is now using a certificate, issued on 9/5, by a different certificate authority so there is no error. This is to be expected. The second url is untrusted but overridable.
Comment 33 Dave Garrett 2011-09-05 14:33:24 PDT
*** Bug 684747 has been marked as a duplicate of this bug. ***
Comment 34 Tan Wei Lin Jason [:Ryuji] 2011-09-07 07:42:44 PDT
(In reply to Vlad [QA] from comment #30)
> Setting resolution to Verified Fixed on Mozilla/5.0 (Windows NT 6.1;
> rv:6.0.2) Gecko/20100101 Firefox/6.0.2
> 
> Both sites from comment29 are now showing the "Untrusted Connection Page"
> The error is displayed under technical details: "The certificate is not
> trusted because the issuer certificate is unknown.Error code:
> sec_error_unknown_issuer)
> 
> The same behavior applies on:
> Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20100101
> Firefox/6.0.2
> Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
> Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

But I still can go into their website even in Firefox 6.0.2
For both website I didn't get the " "Untrusted Connection Page" I did not get the error that is displayed under technical details: "The certificate is not trusted because the issuer certificate is unknown.Error code: sec_error_unknown_issuer)"
Comment 35 Henrik Skupin (:whimboo) 2011-09-07 08:55:12 PDT
Because both websites have been issued new certificates meanwhile. Which means they are no valid testcases anymore.
Comment 36 juan becerra [:juanb] 2011-09-09 14:43:21 PDT
This needs to be verified on Aurora.
Comment 37 Erik Bosman 2011-09-09 15:52:18 PDT
(In reply to Henrik Skupin (:whimboo) from comment #35)
> Because both websites have been issued new certificates meanwhile. Which
> means they are no valid testcases anymore.

New testcase, the Dutch secret service still has a Diginotar cert!

Staat der Nederlanden Root CA via Diginotar PKIoverheid CA Overheid en Bedrijven:
https://www.aivd.nl/

Note You need to log in before you can comment on or make changes to this bug.