Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA

To: "Yves-Alexis Perez" <corsac@debian.org>
Cc: 639744@bugs.debian.org, Mike Hommey <mh@glandium.org>, Josh Triplett <josh@joshtriplett.org>
Subject: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
From: Raphael Geissert <geissert@debian.org>
Date: Sun, 4 Sep 2011 13:34:39 -0500
Message-id: <[🔎] 201109041334.44625.geissert@debian.org>
Reply-to: Raphael Geissert <geissert@debian.org>, 639744@bugs.debian.org
In-reply-to: <[🔎] 1315150520.16745.11.camel@scapa>
References: <20110829210357.26233.13731.reportbug@leaf> <[🔎] 201109040137.21574.geissert@debian.org> <[🔎] 1315150520.16745.11.camel@scapa>

[Dropping CC on openssl maintainers, to reduce noise]

On Sunday 04 September 2011 10:35:16 Yves-Alexis Perez wrote:
> On dim., 2011-09-04 at 01:37 -0500, Raphael Geissert wrote:
> > On Saturday 03 September 2011 01:45:22 Mike Hommey wrote:
> > > Looking at the patches, this really is:
> > [...]
> > 
> > Ok, with the patches we got NSS covered, but we still need to do
> > something for other users.
> > 
> > A first look at stuff we ship, this seems to be their current status:
> > * NSS:
> > ice* packages should be okay after the latest NSS update.
> 
> For other NSS users I guess they're ok? I've just checked in evolution
> certificate store and there's no DigiNotar one, though I don't know if
> evolution would prevent connection to an imap/pop/smtp server with a
> relevant certificate.

Did you look for "Explicitly Disabled DigiNotar..."?

> evolution uses gnutls for calendars (since it's http/https) and so is
> protected through ca-certificates afaict?

Not really, since DigiNotar's CA is cross-signed by Entrust and it probably 
won't know that that signature has been revoked, since GnuTLS doesn't support 
OCSP.

That's the same sad story for everything else using GnuTLS and for many 
OpenSSL users. OpenSSL does support OCSP, but applications rarely use it.

> I've tried the tree websites given on this bug report but I don't know
> if they still make sense:
> 
> https://www.diginotar.nl redirects to http://www.diginotar.nl/ (!!) but
> as the redirect isn't prevented I guess chromium is ok with the
> certificate.
> 
> https://sha2.diginotar.nl/ succeeds, chain of certification is:
> 
> CN = sha2.diginotar.nl
> CN = DigiNotar PKIoverheid CA Organisatie - G2
> CN = Staat der Nederlanden Organisatie CA - G2
> CN = Staat der Nederlanden Root CA - G2 (chromium builtin).

From mozilla's bugzilla, these should also fail:
https://www.nifpnet.nl/
https://belastingbalie.eindhoven.nl/
https://acceptation.cbpublications.ingcommercialbanking.com/

(disable online recovation check before testing, at least the last one)

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Reply to:

Follow-Ups:
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Yves-Alexis Perez <corsac@debian.org>

References:
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Raphael Geissert <geissert@debian.org>
- Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
  - From: Yves-Alexis Perez <corsac@debian.org>

Prev by Date: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Next by Date: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Previous by thread: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Next by thread: Bug#639744: Compromised certificates for *.google.com issued by DigiNotar Root CA
Index(es):
- Date
- Thread