Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates

[Antoine Beaupre]

On Fri, May 19, 2017 at 10:46:35AM -0500, Michael Shuler wrote:
> On 05/19/2017 10:07 AM, Chris Lamb wrote:
> > I've uploaded ca-certificates 20161130+nmu1 to DELAYED/5:
> >   
> >   ca-certificates (20161130+nmu1) unstable; urgency=medium
> >   
> > * Non-maintainer upload.
> > * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they 
> > are
> >   now untrusted by the major browser vendors. Closes: #858539
> 
> Thank you for the NMU, Chris, I'm good with that change.

Do you plan on making a similar update to oldstable (jessie)?

By the way, I see the 2.11 update to unstable is still pending, but I
have managed to merge in the above NMU in the git repository and pushed
it to collab-maint.

https://anonscm.debian.org/git/collab-maint/ca-certificates.git/commit/?id=c5f9e62eb3a307ccb3d581dba7c38d19b6a5ba87

Is there something blocking that 2.11 upload?

I have also prepared an upload for jessie and wheezy that would fix this
bug, attached. I wonder, however, what the correct course of action is
considering that you have that 2.11 update pending - shouldn't we just
trickle down certdata.txt down into all suites?

Let me know how we should process this,

A.
From 9ac1618482517826a10a9dc0a49c8b3bc5595cb3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= 
Date: Thu, 6 Jul 2017 13:28:22 -0400
Subject: [PATCH] merge in NMU for #858539

---
 debian/changelog  |  9 +
 mozilla/blacklist.txt | 16 
 2 files changed, 25 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index a6b8b1e..88a7f1d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ca-certificates (20141019+deb8u4) jessie; urgency=medium
+
+  [ Chris Lamb ]
+  * Non-maintainer upload.
+  * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
+now untrusted by the major browser vendors. Closes: #858539
+
+ -- Antoine Beaupré   Thu, 06 Jul 2017 13:18:47 -0400
+
 ca-certificates (20141019+deb8u3) jessie; urgency=medium
 
   [ Michael Shuler ]
diff --git a/mozilla/blacklist.txt b/mozilla/blacklist.txt
index 911f9f1..6ea1732 100644
--- a/mozilla/blacklist.txt
+++ b/mozilla/blacklist.txt
@@ -5,3 +5,19 @@
 
 # DigiNotar Root CA (see debbug#639744)
 "DigiNotar Root CA"
+
+# StartCom and WoSign certificates are now untrusted by the major browser
+# vendors[0]. See [1] for discussion. The list was generated by:
+#
+#   $ egrep 'WoSign|StartCom' mozilla/certdata.txt \
+# | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq
+#
+# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
+# [1] https://bugs.debian.org/858539
+#
+"StartCom Certification Authority"
+"StartCom Certification Authority G2"
+"WoSign"
+"WoSign China"
+"Certification Authority of WoSign G2"
+"CA WoSign ECC Root"
-- 
2.11.0

From 68c8120346a4b7dfae0dca9ccc44d8d78e632700 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= 
Date: Thu, 6 Jul 2017 13:34:53 -0400
Subject: [PATCH] merge in NMU for #858539

---
 debian/changelog  |  9 +
 mozilla/blacklist.txt | 16 
 2 files changed, 25 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 013e86e..38c035e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ca-certificates (20130119+deb7u3) wheezy-security; urgency=medium
+
+  [ Chris Lamb ]
+  * Non-maintainer upload.
+  * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
+now untrusted by the major browser vendors. Closes: #858539
+
+ -- Antoine Beaupré   Thu, 06 Jul 2017 13:33:56 -0400
+
 ca-certificates (20130119+deb7u2) oldstable; urgency=medium
 
   * mozilla/{certdata.txt,nssckbi.h}:
diff --git a/mozilla/blacklist.txt b/mozilla/blacklist.txt
index 911f9f1..6ea1732 100644
--- a/mozilla/blacklist.txt
+++ b/mozilla/blacklist.txt
@@ -5,3 +5,19 @@
 
 # DigiNotar Root CA (see debbug#639744)
 "DigiNotar Root CA"
+
+# StartCom and WoSign certificates are now untrusted by the major browser
+# vendors[0]. See [1] for discussion. The list was generated by:
+#
+#   $ egrep 'WoSign|StartCom' mozilla/certdata.txt \
+# | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq
+#
+# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
+# [1] https://bugs.debian.org/858539
+#
+"StartCom Certification Authority"
+"StartCom Certification Authority G2"
+"WoSign"
+"WoSign China"
+"Certification Authority of WoSign G2"
+"CA WoSign ECC Root"
-- 
2.11.0



signature.asc
Description: PGP signature

Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates

[Bjarni Runar Einarsson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hello folks,

I wanted to register a voice of dissent here. I don't think
"embarrassment" justifies breaking people's working and valid
certificates in this way.

This is only barely a security issue - StartCom and WoSign were
being punished for not following the rules.

The reduced trust in their their roots was not caused by any
actual user harm, it was a punitive measure to show the world
that certificate authorities cannot get away with flouting the
rules. All they did was fudge some dates to help their customers
work around issues caused by the forced SHA-1 deprecation. The
browser vendors recognized this and took special care to design
the punishment in a way that wouldn't break existing sites. That
is why there is a cut-off date involved.

Debian's participation in this is not necessary to punish these
vendors; the browsers have that well in hand! I have not seen any
explanation of why this is actually a security concern, as far as
I can tell, all Debian is accomplishing here is to hurt its own
users and innocent third parties.

I am one such party; this impacts me (and my users), because
pagekite (as packaged and shipped by Debian) is connecting to
servers that use an pre-cut-off TLS certificate, a certificate
that has no security issues. Due to complicating factors at my
end (a lot of my users are in an embedded environment where
updates are difficult), it is not easy for me to change
certificates. Others may be in the same boat; I think it's safe
to assume that anyone still using a StartCom cert is doing so
because their circumstance makes migration difficult.

Thanks for listening and thanks for your work on Debian,

 - Bjarni

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBCgAGBQJZMZOMAAoJEI4ANxYAz5SRsYcIAJM+hG7/7DCGUpG29z+wtqSt
PyX4e2nQTUnaySXYUpLlDSTYxxQVVaphm4uvY6FwsY27umxqlN7SvFrfylHiiSaV
LyKld7T2N/r0xAB3SfAMY0M3z/3WvADUUolHlsU6ju9RRwBAoNKqVRT/c9BPBsF5
CQW95MgGkMamIGeRgTL8uGBYBuZIEgK7ozHsthXu6jsh7DQWNuSngklTuDulEnhT
zlptlilwl3/9s19NMXmF07nc1b0YFfWtj+SDCZtW2LpyDxoHCOZRnwVkJl7odqag
uQ5ltV24VCuosGQRpaWr4q0PHXkLpbcnDUpPCpzcBSy3pyflPmEFMbGkXDWgZdA=
=B3aE
-END PGP SIGNATURE-

Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates

[Michael Shuler]

On 05/19/2017 10:07 AM, Chris Lamb wrote:
> I've uploaded ca-certificates 20161130+nmu1 to DELAYED/5:
>   
>   ca-certificates (20161130+nmu1) unstable; urgency=medium
>   
> * Non-maintainer upload.
> * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they 
> are
>   now untrusted by the major browser vendors. Closes: #858539

Thank you for the NMU, Chris, I'm good with that change.

-- 
Kind regards,
Michael




signature.asc
Description: OpenPGP digital signature

Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates

[Chris Lamb]

tags 858539 + pending patch
thanks

I've uploaded ca-certificates 20161130+nmu1 to DELAYED/5:
  
  ca-certificates (20161130+nmu1) unstable; urgency=medium
  
* Non-maintainer upload.
* Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
  now untrusted by the major browser vendors. Closes: #858539

The full debdiff is attached.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-
diffstat for ca-certificates-20161130 ca-certificates-20161130+nmu1

 debian/changelog  |8 
 mozilla/blacklist.txt |   16 
 2 files changed, 24 insertions(+)

diff -Nru ca-certificates-20161130/debian/changelog 
ca-certificates-20161130+nmu1/debian/changelog
--- ca-certificates-20161130/debian/changelog   2016-12-01 04:20:53.0 
+0100
+++ ca-certificates-20161130+nmu1/debian/changelog  2017-05-19 
16:53:16.0 +0200
@@ -1,3 +1,11 @@
+ca-certificates (20161130+nmu1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are
+now untrusted by the major browser vendors. Closes: #858539
+
+ -- Chris Lamb   Fri, 19 May 2017 16:53:16 +0200
+
 ca-certificates (20161130) unstable; urgency=medium
 
   [ Philipp Kern ]
diff -Nru ca-certificates-20161130/mozilla/blacklist.txt 
ca-certificates-20161130+nmu1/mozilla/blacklist.txt
--- ca-certificates-20161130/mozilla/blacklist.txt  2016-11-03 
08:40:01.0 +0100
+++ ca-certificates-20161130+nmu1/mozilla/blacklist.txt 2017-05-19 
16:53:16.0 +0200
@@ -5,3 +5,19 @@
 
 # DigiNotar Root CA (see debbug#639744)
 "DigiNotar Root CA"
+
+# StartCom and WoSign certificates are now untrusted by the major browser
+# vendors[0]. See [1] for discussion. The list was generated by:
+#
+#   $ egrep 'WoSign|StartCom' mozilla/certdata.txt \
+# | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq
+#
+# [0] 
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
+# [1] https://bugs.debian.org/858539
+#
+"StartCom Certification Authority"
+"StartCom Certification Authority G2"
+"WoSign"
+"WoSign China"
+"Certification Authority of WoSign G2"
+"CA WoSign ECC Root"

Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates

[Chris Lamb]

severity 858539 serious
thanks


We should not release stretch with these certificates; not only would
it be embarrassing to do so given that they have ceased to work in
modern browsers for some time, we are also simply putting our users
at risk.

Whilst there will be more CA screwups in the future, we should release
with our reasonable best effort, which surely means "just" removing
these.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates

[Antoine Beaupre]

On Mon, Mar 27, 2017 at 10:39:17AM -0400, Antoine Beaupre wrote:
> On Thu, Mar 23, 2017 at 09:25:42AM -0500, Michael Shuler wrote:
> > Thanks for the report, Chris.
> 
> Any timeline for this deployment? Do you need help with patching this
> in?

Actually, I'm not sure I understand what's going on here. While Mozilla
announced they would stop trusting WoSign, they didn't actually remove
the trust roots from the store. Indeed, they said they "may choose to
remove them at any point after March 2017", which they haven't done yet.
WoSign and StartCom are still both here:

https://mozillacaprogram.secure.force.com/CA/CACertificatesInFirefoxReport

and here:

https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

... the latter seemingly being the source for our own certdata.txt.

That said, Mozilla should refuse certs issued after October 21, 2016,
something we can't do ourselves. So the patch would probably be to add
this to the blacklist.txt file:

"StartCom Certification Authority"
"StartCom Certification Authority"
"StartCom Certification Authority"
"StartCom Certification Authority"
"StartCom Certification Authority G2"
"StartCom Certification Authority G2"
"WoSign"
"WoSign"
"WoSign China"
"WoSign China"
"Certification Authority of WoSign G2"
"Certification Authority of WoSign G2"
"CA WoSign ECC Root"
"CA WoSign ECC Root"

This list was generated with:

egrep 'WoSign|StartCom' mozilla/certdata.txt  | grep UTF | sed 's/CKA_LABEL 
UTF8 //'

I hope that helps!

A.


signature.asc
Description: PGP signature

Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates

[Chris Lamb]

Antoine,

> Any timeline for this deployment?

Thu 23 09:12 < jmm_> next point release. along with the generic ca-cerficates 
refresh


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates

[Antoine Beaupre]

On Thu, Mar 23, 2017 at 09:25:42AM -0500, Michael Shuler wrote:
> Thanks for the report, Chris.

Any timeline for this deployment? Do you need help with patching this
in?

A.


signature.asc
Description: PGP signature

Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates

[Chris Lamb]

Michael Shuler wrote:

> libnss performs date checks on certs signed by these roots
[…]
> Blacklisting StartCom and WoSign roots will possibly invalidate some
> user's pre- Oct 21, 2016 valid certificates, but I think that is
> probably OK.

I agree :)


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-

Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates

[Michael Shuler]

On 03/23/2017 04:02 AM, Chris Lamb wrote:
> StartCom and WoSign certificates are now untrusted by the major browser
> vendors[0][1], making websites that use certs from these vendors
> inaccessible.

I followed these events on dev-security-policy and libnss performs date
checks on certs signed by these roots, which ca-certificates has no
facility to perform.

> However, as this is not reflected in ca-certificates, tools such as curl
> still intepret these as valid/secure.

Blacklisting StartCom and WoSign roots will possibly invalidate some
user's pre- Oct 21, 2016 valid certificates, but I think that is
probably OK.

> (This has a knock-on effect that health-check tools that use the output
> of such tools to determine whether a site is "up" — eg. updown.io — will
> misleadingly imply that the site is available to users when, in all
> practical senses, they are not.)
> 
> I would suggest we remove the offending authorities from ca-certificates
> as soon as possible.
> 
> 
> [0] 
> https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
> [1] My installation "chrome-stable" rejects them as well.

Thanks for the report, Chris.

-- 
Kind regards,
Michael

Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates

[Chris Lamb]

Package: ca-certificates
Version: 20141019+deb8u2
Severity: important
Tags: security

Hi,

StartCom and WoSign certificates are now untrusted by the major browser
vendors[0][1], making websites that use certs from these vendors
inaccessible.

However, as this is not reflected in ca-certificates, tools such as curl
still intepret these as valid/secure.

(This has a knock-on effect that health-check tools that use the output
of such tools to determine whether a site is "up" — eg. updown.io — will
misleadingly imply that the site is available to users when, in all
practical senses, they are not.)

I would suggest we remove the offending authorities from ca-certificates
as soon as possible.


[0] 
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
[1] My installation "chrome-stable" rejects them as well.


Regards,

-- 
  ,''`.
 : :'  : Chris Lamb
 `. `'`  la...@debian.org / chris-lamb.co.uk
   `-