478462 – forged ca certificate validated by a ca in ca-certificates

Bug 478462 - forged ca certificate validated by a ca in ca-certificates

Summary: forged ca certificate validated by a ca in ca-certificates

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ca-certificates
Sub Component:
Version:	10
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Joe Orton
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:	http://phreedom.org/research/rogue-ca/
Whiteboard:	Security
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-12-30 15:33 UTC by Till Maas
Modified:	2009-01-07 18:02 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-01-02 16:43:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Till Maas 2008-12-30 15:33:18 UTC

Description of problem:
The SSL certificate of this site is shown as valid if the ca certificates bundle is used:
https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/

Version-Release number of selected component (if applicable):
ca-certificates-2008-7

How reproducible:
always

Steps to Reproduce:
1. set time to July 2004
2. openssl s_client -showcerts -connect i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org:443

  
Actual results:
The certificate is shown as valid.

Expected results:
It should not be shown as valid.


Additional info:
Removing the certs with CN "Equifax Secure Global eBusiness CA-1" helps here. Since there are probably people who still want to use it, maybe it should be moved into a separate package that contains some warning information and is not installed by default.

More information can be found here:
http://phreedom.org/research/rogue-ca/

Comment 1 Joe Orton 2009-01-02 16:43:41 UTC

1) My understanding is that Verisign have stopped issuing certs which using MD5 in the hash algorithm, mitigating the attack in question.

2) The list of CA certs we ship here is derived exactly from the Mozilla CA cert list, so this request is best directed upstream in the first instance.  (dev-tech-crypto.org or Mozilla bugzilla).  We (Fedora) should absolutely not get into the business of modifying the root CA bundle in an ad-hoc fashion.

Comment 2 Till Maas 2009-01-07 18:02:23 UTC

(In reply to comment #1)
> 1) My understanding is that Verisign have stopped issuing certs which using MD5
> in the hash algorithm, mitigating the attack in question.

An attacker may get access to the private key of the rogue CA certificate, there is afaik no information available about how the key is protected, except that it is somehow secured. Also there may be already other people used this attack to get a rogue CA certificate without publishing it. The cost to get this rogue CA certificate was pretty low, iirc around 20 000 Euro or Dollar worth of processing time and less than 1 000 Euro to buy certificates.

> 2) The list of CA certs we ship here is derived exactly from the Mozilla CA
> cert list, so this request is best directed upstream in the first instance. 
> (dev-tech-crypto.org or Mozilla bugzilla).  We (Fedora) should
> absolutely not get into the business of modifying the root CA bundle in an
> ad-hoc fashion.

Afaik Mozilla was already informed several weeks ago, therefore it seems that they do not care that much.

Note You need to log in before you can comment on or make changes to this bug.