Remove the exemptions for the Staat der Nederlanden root

VERIFIED FIXED in Firefox 7

Status

()

Core
Security: PSM
--
blocker
VERIFIED FIXED
6 years ago
6 years ago

People

(Reporter: gerv, Assigned: Ehsan)

Tracking

({verified-beta, verified1.9.2})

unspecified
mozilla9
verified-beta, verified1.9.2
Points:
---

Firefox Tracking Flags

(firefox6 .2-fixed, firefox7 fixed, firefox8 fixed, firefox9 fixed, status1.9.2 .22-fixed)

Details

(Whiteboard: [qa+])

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

6 years ago
It turns out that there are two Staat der Nederlanden roots in our root store, and our patch only exempts one of them from the DigiNotar block :-(( This means that a number of websites whose certs do not chain up to the dis-trusted DigiNotar root are nevertheless having their certificates viewed as untrusted. I'm not sure how many sites this is.

The roots are:
Staat der Nederlanden Root CA
  (successfully exempted)
Staat der Nederlanden Root CA - G2
  (accidentally included)

The line of code is this one:

if (!strcmp(node->cert->issuerName,
    "CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") ...

This check needs to include both the names above.

Test site:
https://sha2.diginotar.nl/

Gerv

Comment 1

6 years ago
Some more websites:
https://g2test.logius.nl/
https://steenwijkerland.bim.mijnbezwaar.nl/

Let me know if you need more.

Comment 2

6 years ago
Again more sites:
https://secure.valkenswaard.nl/
https://www8.eindhoven.nl/

Thanks
(Reporter)

Comment 3

6 years ago
This bug cannot progress until the right people wake up. If we decide to issue a further update, the turnaround time is about 24 hours.

Gerv
Assignee: nobody → bsmith
I think I may have a patch.
Assignee: bsmith → ehsan
Created attachment 557158 [details] [diff] [review]
Patch (v1)
Attachment #557158 - Flags: review?(rrelyea)
Attachment #557158 - Flags: review?(kaie)
Attachment #557158 - Flags: review?(dveditz)
Attachment #557158 - Flags: review?(bsmith)
Created attachment 557159 [details] [diff] [review]
WIP - Allow Staat der Nederlanden Root CA - G2 Root

This is still building on my machine.
Attachment #557159 - Flags: review?(kaie)
Attachment #557159 - Flags: review?(honzab.moz)
Attachment #557159 - Flags: review?(dveditz)
(In reply to Brian Smith (:bsmith) from comment #6)
> Created attachment 557159 [details] [diff] [review]
> WIP - Allow Staat der Nederlanden Root CA - G2 Root
> 
> This is still building on my machine.

Same here!
Comment on attachment 557159 [details] [diff] [review]
WIP - Allow Staat der Nederlanden Root CA - G2 Root

Will use Ehsan's patch, which I will r+ as soon as it finishes building on my machine and I can test it.
Attachment #557159 - Attachment is obsolete: true
Attachment #557159 - Flags: review?(kaie)
Attachment #557159 - Flags: review?(honzab.moz)
Attachment #557159 - Flags: review?(dveditz)
Blocks: 682927
Keywords: regression

Comment 9

6 years ago
Comment on attachment 557158 [details] [diff] [review]
Patch (v1)

If the Dutch gov insists on this, and Mozilla decides to concur, I'm fine with this code change.
r=kaie
Attachment #557158 - Flags: review?(kaie) → review+
Just verified locally that the fix is working for all of the test websites.
http://hg.mozilla.org/mozilla-central/rev/e18dcb523b20
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
I landed it on aurora, beta and 1.9.2 (not the relbranch) with johnath's verbal approval:

http://hg.mozilla.org/releases/mozilla-1.9.2/rev/72fd28e61b47
http://hg.mozilla.org/releases/mozilla-aurora/rev/ba929aa09503
http://hg.mozilla.org/releases/mozilla-beta/rev/6791db28b82f
status1.9.2: --- → .22-fixed
status-firefox7: --- → fixed
status-firefox8: --- → fixed
Attachment #557158 - Flags: review?(rrelyea)
Attachment #557158 - Flags: review?(dveditz)
Attachment #557158 - Flags: review?(bsmith)
status-firefox9: --- → fixed
(Confirming that this has any approval flags ehsan needs it to have - a=me)
status1.9.2: .22-fixed → ---
status-firefox7: fixed → ---
status-firefox8: fixed → ---
status-firefox9: fixed → ---
status1.9.2: --- → .22-fixed
status-firefox7: --- → fixed
status-firefox8: --- → fixed
status-firefox9: --- → fixed

Updated

6 years ago

Comment 14

6 years ago
Comment on attachment 557158 [details] [diff] [review]
Patch (v1)

>     // By request of the Dutch government

I suggest this comment be reworded.  This comment
implies we yielded to government pressure.  I doubt
that's the case.

How about something like "Staat der Nederlanden Root CA
certified their subordinate DigiNotar CAs were good"?
If it turns out their subordinate DigiNotar CAs were
also attacked, then that'll be reason to remove the
trust for Staat der Nederlanden Root CA.

Similarly, we should ask each of the root CA that
has a subordinate DigiNotar CA to either certify
or revoke the subordinate DigiNotar CA.  This is a
good test for the trustworthiness of the root CAs.
(In reply to Wan-Teh Chang from comment #14)
> How about something like "Staat der Nederlanden Root CA
> certified their subordinate DigiNotar CAs were good"?

Sshhh, but does that really matter? This is effectively and right now used as revolving door by DigiNotar. I suggest to A) review this decision, B) check your procedures for such incidences, C) perhaps consult with the Mozilla CA Policy.

It does look very bad in my opinion and it appears to contradict the decision to remove this root.

Comment 16

6 years ago
(In reply to Wan-Teh Chang from comment #14)
> Comment on attachment 557158 [details] [diff] [review]
> Patch (v1)
> 
> >     // By request of the Dutch government
> 
> I suggest this comment be reworded.  This comment
> implies we yielded to government pressure.  I doubt
> that's the case.

Can someone please blog on the Mozilla Security Blog explaining this part of the situation? How it came about, what has been excepted and what effect it has only people visiting sites that are part of this exception. Thank you.
(Reporter)

Comment 17

6 years ago
Mozilla believes that the exemption for certificates under Staat der Nederlanden roots is justified, and it is in line with what other browsers are doing (which used different technical measures which made an exception unnecessary). We will be posting on the security blog soon with a fuller explanation of this. The comment in the source code is not the full story.

Gerv
An explanation would be certainly helpful, thanks.
http://hg.mozilla.org/mozilla-central/rev/471f4fbc9c85
http://hg.mozilla.org/releases/mozilla-aurora/rev/f020f92c79ca
http://hg.mozilla.org/releases/mozilla-beta/rev/f6dafd2dcc63
http://hg.mozilla.org/releases/mozilla-beta/rev/731b7bc62da3
http://hg.mozilla.org/releases/mozilla-release/rev/c32149f14aeb
http://hg.mozilla.org/releases/mozilla-release/rev/58b06f58f4f8
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/2e7eba4287e7
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/dbfc18ea5b93
Considering the patch that landed is actually completely different than what this bug was about, I'm updating the summary and such to reflect that. It would be nice to get the actual patch added as an attachment here.
Keywords: regression
Summary: DigiNotar patch erroneously blocks one of the two Staat der Nederlanden roots → Remove the exemptions for the Staat der Nederlanden root
Also: http://hg.mozilla.org/mozilla-central/rev/5319db188180
Also: http://hg.mozilla.org/releases/mozilla-aurora/rev/a5a5c583c381
http://hg.mozilla.org/releases/mozilla-beta/rev/01d409d49c6a
http://hg.mozilla.org/releases/mozilla-beta/rev/ff20a21364bb
http://hg.mozilla.org/releases/mozilla-release/rev/e65f4c8bd243
http://hg.mozilla.org/releases/mozilla-release/rev/5b6c2f8ff6da
http://hg.mozilla.org/releases/mozilla-release/rev/14452010e012
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/463dbdc80866
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/d19ac6a6ef00

Updated

6 years ago
status-firefox6: --- → .2-fixed

Updated

6 years ago
status1.9.2: .23-fixed → .22-fixed

Comment 26

6 years ago
In a conference of the Dutch government held right now, they also give up trust in their certificates and they expect the browsers to follow.
status1.9.2: .22-fixed → ---
status-firefox6: .2-fixed → ---
status1.9.2: --- → .22-fixed
status-firefox6: --- → .2-fixed
Could someone on this bug either indicate what verification steps should be done to verify or even better go ahead and verify yourself. TIA!
Seconding Matt, QA would like to verify this behavior before signing off, but it's unclear how we should be doing it. Any hints would be appreciated.
(Reporter)

Comment 29

6 years ago
The following sites should work before the patch, and not after:

Staat der Nederlanden Root CA - G2 via Diginotar PKIOverheid CA Organisatie - G2: 
  https://belastingbalie.eindhoven.nl/ (Issued: 4th Feb 2011)

Staat der Nederlanden Root CA via Diginotar PKIoverheid CA Overheid en Bedrijven:
  https://www.nifpnet.nl/ (Issued 12th May 2011)

I _think_ you should expect to see an overrideable "cert_not_trusted" error.

Gerv

Comment 30

6 years ago
Setting resolution to Verified Fixed on Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

Both sites from comment29 are now showing the "Untrusted Connection Page"
The error is displayed under technical details: "The certificate is not trusted because the issuer certificate is unknown.Error code: sec_error_unknown_issuer)

The same behavior applies on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Status: RESOLVED → VERIFIED
This bug needs to be verified against all the branches marked above as fixed. The Verified state is also for trunk and not 6.0.2 as what you have used for testing. Please test at least across 3.6.22 build 2, 6.0.2 build 2, and 7.0b4#2.
Status: VERIFIED → RESOLVED
Last Resolved: 6 years ago6 years ago

Updated

6 years ago
Component: CA Certificates → Security: PSM
Product: NSS → Core
QA Contact: root-certs → psm
Version: trunk → unspecified
I've verified this against 3.6.22(build2), 6.0.2(build2), 7.0b4(build2), and latest Nightly using Windows XP or Mac. The first url in comment #29 is now using a certificate, issued on 9/5, by a different certificate authority so there is no error. This is to be expected. The second url is untrusted but overridable.
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Keywords: verified-beta
Target Milestone: --- → mozilla9

Updated

6 years ago
Duplicate of this bug: 684747
(In reply to Vlad [QA] from comment #30)
> Setting resolution to Verified Fixed on Mozilla/5.0 (Windows NT 6.1;
> rv:6.0.2) Gecko/20100101 Firefox/6.0.2
> 
> Both sites from comment29 are now showing the "Untrusted Connection Page"
> The error is displayed under technical details: "The certificate is not
> trusted because the issuer certificate is unknown.Error code:
> sec_error_unknown_issuer)
> 
> The same behavior applies on:
> Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20100101
> Firefox/6.0.2
> Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
> Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

But I still can go into their website even in Firefox 6.0.2
For both website I didn't get the " "Untrusted Connection Page" I did not get the error that is displayed under technical details: "The certificate is not trusted because the issuer certificate is unknown.Error code: sec_error_unknown_issuer)"
Because both websites have been issued new certificates meanwhile. Which means they are no valid testcases anymore.
This needs to be verified on Aurora.
Whiteboard: [qa+]

Comment 37

6 years ago
(In reply to Henrik Skupin (:whimboo) from comment #35)
> Because both websites have been issued new certificates meanwhile. Which
> means they are no valid testcases anymore.

New testcase, the Dutch secret service still has a Diginotar cert!

Staat der Nederlanden Root CA via Diginotar PKIoverheid CA Overheid en Bedrijven:
https://www.aivd.nl/
You need to log in before you can comment on or make changes to this bug.