Remove the exemptions for the Staat der Nederlanden root

Bug #838322 reported by Micah Gersten on 2011-08-31
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Fix Released
Critical
firefox (Ubuntu)
Medium
Chris Coulson
Lucid
Medium
Micah Gersten
Maverick
Medium
Micah Gersten
Natty
Medium
Micah Gersten
Oneiric
Medium
Chris Coulson
thunderbird (Ubuntu)
Medium
Chris Coulson
Lucid
Medium
Micah Gersten
Maverick
Medium
Micah Gersten
Natty
Medium
Micah Gersten
Oneiric
Medium
Chris Coulson
xulrunner-1.9.2 (Ubuntu)
Undecided
Unassigned
Lucid
Medium
Micah Gersten
Maverick
Medium
Micah Gersten
Natty
Undecided
Unassigned
Oneiric
Undecided
Unassigned

Bug Description

Here's an updated blog post on the DigiNotar issue:
http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/

The Staat der Nederlanden root exemption has been removed. These root certs are still believed to be trusted. The "PKIOverheid" (PKIGovernment) intermediates under DigiNotar's control that
did not chain to DigiNotar's root and were not previously blocked were blocked instead.

It turns out that there are two Staat der Nederlanden roots in our root store, and our patch only exempts one of them from the DigiNotar block :-(( This means that a number of websites whose certs do not chain up to the dis-trusted DigiNotar root are nevertheless having their certificates viewed as untrusted. I'm not sure how many sites this is.

The roots are:
Staat der Nederlanden Root CA
  (successfully exempted)
Staat der Nederlanden Root CA - G2
  (accidentally included)

The line of code is this one:

if (!strcmp(node->cert->issuerName,
    "CN=Staat der Nederlanden Root CA,O=Staat der Nederlanden,C=NL") ...

This check needs to include both the names above.

Test site:
https://sha2.diginotar.nl/

Gerv

This bug cannot progress until the right people wake up. If we decide to issue a further update, the turnaround time is about 24 hours.

Gerv

I think I may have a patch.

Created attachment 557158
Patch (v1)

Created attachment 557159
WIP - Allow Staat der Nederlanden Root CA - G2 Root

This is still building on my machine.

(In reply to Brian Smith (:bsmith) from comment #6)
> Created attachment 557159
> WIP - Allow Staat der Nederlanden Root CA - G2 Root
>
> This is still building on my machine.

Same here!

Comment on attachment 557159
WIP - Allow Staat der Nederlanden Root CA - G2 Root

Will use Ehsan's patch, which I will r+ as soon as it finishes building on my machine and I can test it.

Comment on attachment 557158
Patch (v1)

If the Dutch gov insists on this, and Mozilla decides to concur, I'm fine with this code change.
r=kaie

Just verified locally that the fix is working for all of the test websites.

(Confirming that this has any approval flags ehsan needs it to have - a=me)

Micah Gersten (micahg) on 2011-08-31
Changed in firefox (Ubuntu Oneiric):
importance: Undecided → Medium
status: New → Triaged
Changed in firefox (Ubuntu Natty):
importance: Undecided → Medium
status: New → Triaged
Changed in firefox (Ubuntu Maverick):
importance: Undecided → Medium
status: New → Triaged
Changed in firefox (Ubuntu Lucid):
status: New → Triaged
importance: Undecided → Medium
Changed in firefox:
importance: Unknown → Critical
status: Unknown → Fix Released

Natty won't be affected as 1.9.2.21 isn't being pushed to it.

Changed in xulrunner-1.9.2 (Ubuntu Lucid):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → In Progress
Changed in xulrunner-1.9.2 (Ubuntu Maverick):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → In Progress
Changed in xulrunner-1.9.2 (Ubuntu Natty):
status: New → Invalid
Micah Gersten (micahg) wrote :

Oneiric doesn't have xulrunner-1.9.2

Changed in xulrunner-1.9.2 (Ubuntu Oneiric):
status: New → Invalid
Changed in firefox (Ubuntu Lucid):
assignee: nobody → Micah Gersten (micahg)
status: Triaged → In Progress
Changed in firefox (Ubuntu Maverick):
assignee: nobody → Micah Gersten (micahg)
status: Triaged → In Progress
Changed in firefox (Ubuntu Natty):
assignee: nobody → Micah Gersten (micahg)
status: Triaged → In Progress
Changed in firefox (Ubuntu Oneiric):
assignee: nobody → Chris Coulson (chrisccoulson)

Comment on attachment 557158
Patch (v1)

> // By request of the Dutch government

I suggest this comment be reworded. This comment
implies we yielded to government pressure. I doubt
that's the case.

How about something like "Staat der Nederlanden Root CA
certified their subordinate DigiNotar CAs were good"?
If it turns out their subordinate DigiNotar CAs were
also attacked, then that'll be reason to remove the
trust for Staat der Nederlanden Root CA.

Similarly, we should ask each of the root CA that
has a subordinate DigiNotar CA to either certify
or revoke the subordinate DigiNotar CA. This is a
good test for the trustworthiness of the root CAs.

(In reply to Wan-Teh Chang from comment #14)
> How about something like "Staat der Nederlanden Root CA
> certified their subordinate DigiNotar CAs were good"?

Sshhh, but does that really matter? This is effectively and right now used as revolving door by DigiNotar. I suggest to A) review this decision, B) check your procedures for such incidences, C) perhaps consult with the Mozilla CA Policy.

It does look very bad in my opinion and it appears to contradict the decision to remove this root.

(In reply to Wan-Teh Chang from comment #14)
> Comment on attachment 557158
> Patch (v1)
>
> > // By request of the Dutch government
>
> I suggest this comment be reworded. This comment
> implies we yielded to government pressure. I doubt
> that's the case.

Can someone please blog on the Mozilla Security Blog explaining this part of the situation? How it came about, what has been excepted and what effect it has only people visiting sites that are part of this exception. Thank you.

Mozilla believes that the exemption for certificates under Staat der Nederlanden roots is justified, and it is in line with what other browsers are doing (which used different technical measures which made an exception unnecessary). We will be posting on the security blog soon with a fuller explanation of this. The comment in the source code is not the full story.

Gerv

An explanation would be certainly helpful, thanks.

Considering the patch that landed is actually completely different than what this bug was about, I'm updating the summary and such to reflect that. It would be nice to get the actual patch added as an attachment here.

In a conference of the Dutch government held right now, they also give up trust in their certificates and they expect the browsers to follow.

Could someone on this bug either indicate what verification steps should be done to verify or even better go ahead and verify yourself. TIA!

Seconding Matt, QA would like to verify this behavior before signing off, but it's unclear how we should be doing it. Any hints would be appreciated.

Glen Turner (gdt-gdt) wrote :

http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/
says
"DigiNotar issues certificates as part of the Dutch government’s PKIoverheid (PKIgovernment) program. These certificates are issued from a different DigiNotar-controlled intermediate, and chain up to the Dutch government CA (Staat der Nederlanden). The Dutch government’s Computer Emergency Response Team (GovCERT) indicated that these certificates are issued independently of DigiNotar’s other processes and that, in their assessment, these had not been compromised. The Dutch government therefore requested that we exempt these certificates from the removal of trust, which we agreed to do in our initial security update early this week.

The Dutch government has since audited DigiNotar’s performance and rescinded this assessment. We are now removing the exemption for these certificates, meaning that all DigiNotar certificates will be untrusted by Mozilla products."

Micah Gersten (micahg) on 2011-09-05
summary: - DigiNotar patch erroneously blocks one of the two Staat der Nederlanden
- roots
+ Remove the exemptions for the Staat der Nederlanden root
description: updated

The following sites should work before the patch, and not after:

Staat der Nederlanden Root CA - G2 via Diginotar PKIOverheid CA Organisatie - G2:
  https://belastingbalie.eindhoven.nl/ (Issued: 4th Feb 2011)

Staat der Nederlanden Root CA via Diginotar PKIoverheid CA Overheid en Bedrijven:
  https://www.nifpnet.nl/ (Issued 12th May 2011)

I _think_ you should expect to see an overrideable "cert_not_trusted" error.

Gerv

Setting resolution to Verified Fixed on Mozilla/5.0 (Windows NT 6.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

Both sites from comment29 are now showing the "Untrusted Connection Page"
The error is displayed under technical details: "The certificate is not trusted because the issuer certificate is unknown.Error code: sec_error_unknown_issuer)

The same behavior applies on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

This bug needs to be verified against all the branches marked above as fixed. The Verified state is also for trunk and not 6.0.2 as what you have used for testing. Please test at least across 3.6.22 build 2, 6.0.2 build 2, and 7.0b4#2.

I've verified this against 3.6.22(build2), 6.0.2(build2), 7.0b4(build2), and latest Nightly using Windows XP or Mac. The first url in comment #29 is now using a certificate, issued on 9/5, by a different certificate authority so there is no error. This is to be expected. The second url is untrusted but overridable.

*** Bug 684747 has been marked as a duplicate of this bug. ***

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 3.6.22+build2+nobinonly-0ubuntu0.10.10.1

---------------
firefox (3.6.22+build2+nobinonly-0ubuntu0.10.10.1) maverick-security; urgency=low

  * New upstream release v3.6.22 (FIREFOX_3_6_22_BUILD2)
    - Distrust and disable all DigiNotar certs including the Staat der
      Nederlanden Certificates (LP: #838322)
 -- Micah Gersten <email address hidden> Mon, 05 Sep 2011 13:42:50 -0500

Changed in firefox (Ubuntu Maverick):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xulrunner-1.9.2 - 1.9.2.22+build2+nobinonly-0ubuntu0.10.04.1

---------------
xulrunner-1.9.2 (1.9.2.22+build2+nobinonly-0ubuntu0.10.04.1) lucid-security; urgency=low

  * New upstream release v1.9.2.22 (FIREFOX_3_6_22_BUILD2)
    - Distrust all DigiNotar certs including the Staat der Nederlanden
      Certificates; The certificates will be disabled in NSS (LP: #838322)
 -- Micah Gersten <email address hidden> Mon, 05 Sep 2011 14:55:57 -0500

Changed in xulrunner-1.9.2 (Ubuntu Lucid):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xulrunner-1.9.2 - 1.9.2.22+build2+nobinonly-0ubuntu0.10.10.1

---------------
xulrunner-1.9.2 (1.9.2.22+build2+nobinonly-0ubuntu0.10.10.1) maverick-security; urgency=low

  * New upstream release v1.9.2.22 (FIREFOX_3_6_22_BUILD2)
    - Distrust all DigiNotar certs including the Staat der Nederlanden
      Certificates; The certificates will be disabled in NSS (LP: #838322)
 -- Micah Gersten <email address hidden> Mon, 05 Sep 2011 15:01:02 -0500

Changed in xulrunner-1.9.2 (Ubuntu Maverick):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 3.6.22+build2+nobinonly-0ubuntu0.10.04.1

---------------
firefox (3.6.22+build2+nobinonly-0ubuntu0.10.04.1) lucid-security; urgency=low

  * New upstream release v3.6.22 (FIREFOX_3_6_22_BUILD2)
    - Distrust and disable all DigiNotar certs including the Staat der
      Nederlanden Certificates (LP: #838322)
 -- Micah Gersten <email address hidden> Mon, 05 Sep 2011 13:36:05 -0500

Changed in firefox (Ubuntu Lucid):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 6.0.2+build2+nobinonly-0ubuntu0.11.04.1

---------------
firefox (6.0.2+build2+nobinonly-0ubuntu0.11.04.1) natty-security; urgency=low

  * New upstream stable release (FIREFOX_6_0_2_BUILD2)
    - Distrust and disable all DigiNotar certs including the Staat der
      Nederlanden Certificates (LP: #838322)
 -- Micah Gersten <email address hidden> Mon, 05 Sep 2011 00:40:30 -0500

Changed in firefox (Ubuntu Natty):
status: In Progress → Fix Released
Anonymous (sjklfjalkfsakl) wrote :

To make this fully fixed, Thunderbird also needs to be updated to 6.0.2 (Oneiric) or 3.1.14 (earlier distributions). I see that you forgot to list Thunderbird as affected, so I tried adding it.

(In reply to Vlad [QA] from comment #30)
> Setting resolution to Verified Fixed on Mozilla/5.0 (Windows NT 6.1;
> rv:6.0.2) Gecko/20100101 Firefox/6.0.2
>
> Both sites from comment29 are now showing the "Untrusted Connection Page"
> The error is displayed under technical details: "The certificate is not
> trusted because the issuer certificate is unknown.Error code:
> sec_error_unknown_issuer)
>
> The same behavior applies on:
> Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20100101
> Firefox/6.0.2
> Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
> Mozilla/5.0 (X11; Linux x86_64; rv:6.0.2) Gecko/20100101 Firefox/6.0.2

But I still can go into their website even in Firefox 6.0.2
For both website I didn't get the " "Untrusted Connection Page" I did not get the error that is displayed under technical details: "The certificate is not trusted because the issuer certificate is unknown.Error code: sec_error_unknown_issuer)"

Micah Gersten (micahg) wrote :

Sorry, I do have thunderbird builds ready, I just forgot to add it to this bug.

Changed in thunderbird (Ubuntu Lucid):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → In Progress
status: In Progress → Fix Committed
Micah Gersten (micahg) wrote :

Builds are in the ubuntu-mozilla-security PPA for 3.1.14, mozillateam/thunderbird-stable has 6.0.2

Changed in thunderbird (Ubuntu Maverick):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → Fix Committed
Changed in thunderbird (Ubuntu Natty):
assignee: nobody → Micah Gersten (micahg)
importance: Undecided → Medium
status: New → Fix Committed
Micah Gersten (micahg) wrote :

thunderbird | 7.0~b2+build2+nobinonly1-0ubuntu1 | oneiric | source, amd64, i386

Changed in thunderbird (Ubuntu Oneiric):
assignee: nobody → Chris Coulson (chrisccoulson)
importance: Undecided → Medium
status: New → Fix Released
Micah Gersten (micahg) wrote :

   firefox | 7.0~b4+build2+nobinonly-0ubuntu1 | oneiric | source, amd64, i386

Changed in firefox (Ubuntu Oneiric):
status: Triaged → Fix Released

Because both websites have been issued new certificates meanwhile. Which means they are no valid testcases anymore.

Micah Gersten (micahg) on 2011-09-08
description: updated

This needs to be verified on Aurora.

(In reply to Henrik Skupin (:whimboo) from comment #35)
> Because both websites have been issued new certificates meanwhile. Which
> means they are no valid testcases anymore.

New testcase, the Dutch secret service still has a Diginotar cert!

Staat der Nederlanden Root CA via Diginotar PKIoverheid CA Overheid en Bedrijven:
https://www.aivd.nl/

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package thunderbird - 3.1.15+build1+nobinonly-0ubuntu0.11.04.1

---------------
thunderbird (3.1.15+build1+nobinonly-0ubuntu0.11.04.1) natty-security; urgency=low

  * New upstream release v3.1.15 (THUNDERBIRD_3_1_15_BUILD1)
    - see USN-1213-1

thunderbird (3.1.14+build2+nobinonly-0ubuntu0.11.04.1) natty-security; urgency=low

  * New upstream release v3.1.14 (THUNDERBIRD_3_1_14_BUILD2)
    - Reenable one of the Staat der Nederlanden Certificates; This was not a
      part of the compromised DigiNotar certificates (LP: #838322)
 -- Micah Gersten <email address hidden> Thu, 22 Sep 2011 01:19:34 -0500

Changed in thunderbird (Ubuntu Natty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package thunderbird - 3.1.15+build1+nobinonly-0ubuntu0.10.04.1

---------------
thunderbird (3.1.15+build1+nobinonly-0ubuntu0.10.04.1) lucid-security; urgency=low

  * New upstream release v3.1.15 (THUNDERBIRD_3_1_15_BUILD1)
    - see USN-1213-1

thunderbird (3.1.14+build2+nobinonly-0ubuntu0.10.04.1) lucid-security; urgency=low

  * New upstream release v3.1.14 (THUNDERBIRD_3_1_14_BUILD2)
    - Reenable one of the Staat der Nederlanden Certificates; This was not a
      part of the compromised DigiNotar certificates (LP: #838322)
 -- Micah Gersten <email address hidden> Wed, 21 Sep 2011 14:15:06 -0500

Changed in thunderbird (Ubuntu Lucid):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package thunderbird - 3.1.15+build1+nobinonly-0ubuntu0.10.10.1

---------------
thunderbird (3.1.15+build1+nobinonly-0ubuntu0.10.10.1) maverick-security; urgency=low

  * New upstream release v3.1.15 (THUNDERBIRD_3_1_15_BUILD1)
    - see USN-1213-1

thunderbird (3.1.14+build2+nobinonly-0ubuntu0.10.10.1) maverick-security; urgency=low

  * New upstream release v3.1.14 (THUNDERBIRD_3_1_14_BUILD2)
    - Reenable one of the Staat der Nederlanden Certificates; This was not a
      part of the compromised DigiNotar certificates (LP: #838322)
 -- Micah Gersten <email address hidden> Wed, 21 Sep 2011 17:16:47 -0500

Changed in thunderbird (Ubuntu Maverick):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xulrunner-1.9.2 - 1.9.2.27+build1+nobinonly-0ubuntu0.11.04.1

---------------
xulrunner-1.9.2 (1.9.2.27+build1+nobinonly-0ubuntu0.11.04.1) natty-security; urgency=low

  * SECURITY UPDATE: New upstream release v1.9.2.27 (FIREFOX_3_6_27_BUILD1)
    See the following for more information:
    - LP: #934073
    - USN-1353-1
    - USN-1251-1
    - USN-1210-1
    - LP: #838322
    - LP: #837557
    - USN-1184-1
    - USN-1149-1
 -- Jamie Strandboge <email address hidden> Fri, 17 Feb 2012 08:04:19 -0600

Changed in xulrunner-1.9.2 (Ubuntu Natty):
status: Invalid → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.