Kurt Roeckx <k...@roeckx.be> writes:
>The site hasn't been fixed, at least not for me.
Ah, both Firefox and IE were connecting, but that was because the HTTPS got
redirected to plain HTTP, and any of the links to HTTPS sites that I could
find on the site led to a bewildering array of affiliated sites that all went
back to Comodo roots.
After some poking around I managed to find the same certs at
postofficeshop.de, but Firefox still connects to that.
>Here are the certificates I get:
Thanks! Wow, what a mess, theres:
018 45: SEQUENCE {
1020 37: OBJECT IDENTIFIER '1 3 6 1 4 1 311 21 8
3675690 6234259 10436751 12227305 62135 141 959321 10252252'
: Error: OID contains random garbage.
1059 1: INTEGER 100
1062 1: INTEGER 6
: }
(that's one of Microsoft's "encode random noise and call it an OID), and then:
1209 68: SEQUENCE {
1211 9: OBJECT IDENTIFIER
: sMIMECapabilities (1 2 840 113549 1 9 15)
1222 55: OCTET STRING, encapsulates {
for what is explicitly a TLS server cert:
1074 20: SEQUENCE {
1076 8: OBJECT IDENTIFIER
: clientAuth (1 3 6 1 5 5 7 3 2)
1086 8: OBJECT IDENTIFIER
: serverAuth (1 3 6 1 5 5 7 3 1)
: }
: }
Oh yeah, and the S/MIME implementation that their TLS server runs advertises:
1226 14: SEQUENCE {
1228 8: OBJECT IDENTIFIER rc2CBC (1 2 840 113549 3 2)
1238 2: INTEGER 128
: }
1242 14: SEQUENCE {
1244 8: OBJECT IDENTIFIER rc4 (1 2 840 113549 3 4)
1254 2: INTEGER 128
: }
1258 7: SEQUENCE {
1260 5: OBJECT IDENTIFIER desCBC (1 3 14 3 2 7)
: }
because someone has to keep all those 1970s and 1980s ciphers alive somewhere.
Then the next cert has:
710 2683: SEQUENCE {
714 3: OBJECT IDENTIFIER nameConstraints (2 5 29 30)
719 2674: OCTET STRING, encapsulates {
723 2670: SEQUENCE {
727 2616: [0] {
731 17: SEQUENCE {
733 15: [2] 'adressdialog.de'
: }
750 20: SEQUENCE {
752 18: [2] 'adress-research.de'
: }
[on and on for hundreds of lines]
and:
3347 48: [1] {
3349 10: SEQUENCE {
3351 8: [7] 00 00 00 00 00 00 00 00
: }
3361 34: SEQUENCE {
3363 32: [7]
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
: }
: }
: }
The recent CNNIC discussion mentioned the fact that trusted CAs shouldn't be
allowed to issue unconstrained certs for intermediate CAs. Perhaps we need to
introduce requirements for drug-testing intermediates as well.
Peter.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
