[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

On dim., 2011-09-04 at 01:37 -0500, Raphael Geissert wrote:
> On Saturday 03 September 2011 01:45:22 Mike Hommey wrote:
> > Looking at the patches, this really is:
> [...]
> Ok, with the patches we got NSS covered, but we still need to do something for 
> other users.
> A first look at stuff we ship, this seems to be their current status:
> * NSS:
> ice* packages should be okay after the latest NSS update.

For other NSS users I guess they're ok? I've just checked in evolution
certificate store and there's no DigiNotar one, though I don't know if
evolution would prevent connection to an imap/pop/smtp server with a
relevant certificate.

evolution uses gnutls for calendars (since it's http/https) and so is
protected through ca-certificates afaict?

> * OpenSSL
> Nothing special here
> * GnuTLS
> Nothing special here
> * chromium:
> Even after the NSS update, it seems to be happy to use the Explicitly 
> Distrusted certs.

I've tried the tree websites given on this bug report but I don't know
if they still make sense:

https://www.diginotar.nl redirects to http://www.diginotar.nl/ (!!) but
as the redirect isn't prevented I guess chromium is ok with the

https://sha2.diginotar.nl/ succeeds, chain of certification is:

CN = sha2.diginotar.nl
CN = DigiNotar PKIoverheid CA Organisatie - G2
CN = Staat der Nederlanden Organisatie CA - G2
CN = Staat der Nederlanden Root CA - G2 (chromium builtin).


Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: