[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

On Thu, Sep 01, 2011 at 08:37:01AM +0200, Mike Hommey wrote:
> On Wed, Aug 31, 2011 at 11:02:53PM -0500, Raphael Geissert wrote:
> > On Tuesday 30 August 2011 23:30:19 Mike Hommey wrote:
> > > On Wed, Aug 31, 2011 at 06:26:26AM +0200, Mike Hommey wrote:
> > > > So, I'll put that on tiredness. That'd be several fraudulent
> > > > certificates which fingerprint is unknown (thus even CRL, OCSP and
> > > > blacklists can't do anything), and the mitigation involves several
> > > > different intermediate certs that are cross-signed, which makes it kind
> > > > of hard. Plus, there is the problem that untrusting the DigiNotar root
> > > > untrusts a separate PKI used by the Dutch government.
> > 
> > AFAICS, this last part is not true. The gov has one Root and DigiNotar's 
> > PKIOverheid is one if its leafs.
> > Other DigiNotar CAs are the one derived from Entrust (seems to have been 
> > revoked), and a PKIOverheid G2 that I've seen mentioned in a few places (also 
> > derived from Entrust?)
> Well, reality is that the Firefox 6.0.1 release, which has a white least
> for Staat der Nederlanden Root CA but not Staat der Nederlanden Root CA
> - G2, effectively prevents from going to a couple of dutch government
> sites.
> Considering it has been found that the PSM side blacklist doesn't work,
> that suggests that the root CA removal alone is responsible for the
> situation, but I could be wrong.

I did some actual testing. With the DigiNoTar Root CA removal, we
don't block Staat der Nederlanden Root CA and Staat der Nederlanden Root
CA - G2. We also don't block (obviously) the ones with intermediate
certs signed by Entrust, and if I followed the story correctly, this
means we're effectively *not* preventing the *.google.com,
addons.mozilla.org, *.yahoo.com, etc. fraudulent certificates from being

A few urls to test:
https://www.diginotar.nl should be blocked, and is -> OK
https://sha2.diginotar.nl should not be blocked, and isn't -> OK
https://zga-tag.zorggroep-almere.nl should be blocked, and isn't -> BAD


Reply to: