Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
On 09/04/2011 10:35 AM, Yves-Alexis Perez wrote:
> On dim., 2011-09-04 at 01:37 -0500, Raphael Geissert wrote:
>> On Saturday 03 September 2011 01:45:22 Mike Hommey wrote:
>>> Looking at the patches, this really is:
>> Ok, with the patches we got NSS covered, but we still need to do
>> something for other users.
>> A first look at stuff we ship, this seems to be their current
>> status: * NSS: ice* packages should be okay after the latest NSS
> For other NSS users I guess they're ok? I've just checked in
> evolution certificate store and there's no DigiNotar one, though I
> don't know if evolution would prevent connection to an
> imap/pop/smtp server with a relevant certificate.
> evolution uses gnutls for calendars (since it's http/https) and so
> is protected through ca-certificates afaict?
>> * OpenSSL Nothing special here
>> * GnuTLS Nothing special here
>> * chromium: Even after the NSS update, it seems to be happy to
>> use the Explicitly Distrusted certs.
> I've tried the tree websites given on this bug report but I don't
> know if they still make sense:
> https://www.diginotar.nl redirects to http://www.diginotar.nl/ (!!)
> but as the redirect isn't prevented I guess chromium is ok with
> the certificate.
> https://sha2.diginotar.nl/ succeeds, chain of certification is:
> CN = sha2.diginotar.nl CN = DigiNotar PKIoverheid CA Organisatie -
> G2 CN = Staat der Nederlanden Organisatie CA - G2 CN = Staat der
> Nederlanden Root CA - G2 (chromium builtin).
Chromium needs an update to .220 to properly block all of the