Bug 478462 - forged ca certificate validated by a ca in ca-certificates
forged ca certificate validated by a ca in ca-certificates
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: ca-certificates (Show other bugs)
10
All Linux
low Severity medium
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
http://phreedom.org/research/rogue-ca/
Security
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-30 10:33 EST by Till Maas
Modified: 2009-01-07 13:02 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-02 11:43:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Till Maas 2008-12-30 10:33:18 EST
Description of problem:
The SSL certificate of this site is shown as valid if the ca certificates bundle is used:
https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/

Version-Release number of selected component (if applicable):
ca-certificates-2008-7

How reproducible:
always

Steps to Reproduce:
1. set time to July 2004
2. openssl s_client -showcerts -connect i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org:443

  
Actual results:
The certificate is shown as valid.

Expected results:
It should not be shown as valid.


Additional info:
Removing the certs with CN "Equifax Secure Global eBusiness CA-1" helps here. Since there are probably people who still want to use it, maybe it should be moved into a separate package that contains some warning information and is not installed by default.

More information can be found here:
http://phreedom.org/research/rogue-ca/
Comment 1 Joe Orton 2009-01-02 11:43:41 EST
1) My understanding is that Verisign have stopped issuing certs which using MD5 in the hash algorithm, mitigating the attack in question.

2) The list of CA certs we ship here is derived exactly from the Mozilla CA cert list, so this request is best directed upstream in the first instance.  (dev-tech-crypto@lists.mozilla.org or Mozilla bugzilla).  We (Fedora) should absolutely not get into the business of modifying the root CA bundle in an ad-hoc fashion.
Comment 2 Till Maas 2009-01-07 13:02:23 EST
(In reply to comment #1)
> 1) My understanding is that Verisign have stopped issuing certs which using MD5
> in the hash algorithm, mitigating the attack in question.

An attacker may get access to the private key of the rogue CA certificate, there is afaik no information available about how the key is protected, except that it is somehow secured. Also there may be already other people used this attack to get a rogue CA certificate without publishing it. The cost to get this rogue CA certificate was pretty low, iirc around 20 000 Euro or Dollar worth of processing time and less than 1 000 Euro to buy certificates.

> 2) The list of CA certs we ship here is derived exactly from the Mozilla CA
> cert list, so this request is best directed upstream in the first instance. 
> (dev-tech-crypto@lists.mozilla.org or Mozilla bugzilla).  We (Fedora) should
> absolutely not get into the business of modifying the root CA bundle in an
> ad-hoc fashion.

Afaik Mozilla was already informed several weeks ago, therefore it seems that they do not care that much.

Note You need to log in before you can comment on or make changes to this bug.