Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

To: Yves-Alexis Perez <corsac@debian.org>, 639744@bugs.debian.org
Subject: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
From: Micah Gersten <micahg@ubuntu.com>
Date: Sun, 04 Sep 2011 12:47:03 -0500
Message-id: <[🔎] 4E63B997.90602@ubuntu.com>
Reply-to: Micah Gersten <micahg@ubuntu.com>, 639744@bugs.debian.org
In-reply-to: <[🔎] 1315150520.16745.11.camel@scapa>
References: <20110829210357.26233.13731.reportbug@leaf> <[🔎] 20110903054023.GA3559@glandium.org> <[🔎] 20110903064522.GA4715@glandium.org> <[🔎] 201109040137.21574.geissert@debian.org> <[🔎] 1315150520.16745.11.camel@scapa>

On 09/04/2011 10:35 AM, Yves-Alexis Perez wrote:
> On dim., 2011-09-04 at 01:37 -0500, Raphael Geissert wrote:
>> On Saturday 03 September 2011 01:45:22 Mike Hommey wrote:
>>> Looking at the patches, this really is:
>> [...]
>> 
>> Ok, with the patches we got NSS covered, but we still need to do
>> something for other users.
>> 
>> A first look at stuff we ship, this seems to be their current
>> status: * NSS: ice* packages should be okay after the latest NSS
>> update.
> 
> For other NSS users I guess they're ok? I've just checked in
> evolution certificate store and there's no DigiNotar one, though I
> don't know if evolution would prevent connection to an
> imap/pop/smtp server with a relevant certificate.
> 
> evolution uses gnutls for calendars (since it's http/https) and so
> is protected through ca-certificates afaict?
> 
>> 
>> * OpenSSL Nothing special here
>> 
>> * GnuTLS Nothing special here
>> 
>> * chromium: Even after the NSS update, it seems to be happy to
>> use the Explicitly Distrusted certs.
> 
> I've tried the tree websites given on this bug report but I don't
> know if they still make sense:
> 
> https://www.diginotar.nl redirects to http://www.diginotar.nl/ (!!)
> but as the redirect isn't prevented I guess chromium is ok with
> the certificate.
> 
> https://sha2.diginotar.nl/ succeeds, chain of certification is:
> 
> CN = sha2.diginotar.nl CN = DigiNotar PKIoverheid CA Organisatie -
> G2 CN = Staat der Nederlanden Organisatie CA - G2 CN = Staat der
> Nederlanden Root CA - G2 (chromium builtin).
> 
> 
> Regards,

Chromium needs an update to .220 to properly block all of the
DigiNotar certificates.

Reply to:

References:
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Mike Hommey <mh@glandium.org>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Mike Hommey <mh@glandium.org>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Raphael Geissert <geissert@debian.org>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Yves-Alexis Perez <corsac@debian.org>

Prev by Date: libapache2-mod-rpaf override disparity
Next by Date: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Previous by thread: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Next by thread: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Index(es):
- Date
- Thread