Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates
On Fri, May 19, 2017 at 10:46:35AM -0500, Michael Shuler wrote: > On 05/19/2017 10:07 AM, Chris Lamb wrote: > > I've uploaded ca-certificates 20161130+nmu1 to DELAYED/5: > > > > ca-certificates (20161130+nmu1) unstable; urgency=medium > > > > * Non-maintainer upload. > > * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they > > are > > now untrusted by the major browser vendors. Closes: #858539 > > Thank you for the NMU, Chris, I'm good with that change. Do you plan on making a similar update to oldstable (jessie)? By the way, I see the 2.11 update to unstable is still pending, but I have managed to merge in the above NMU in the git repository and pushed it to collab-maint. https://anonscm.debian.org/git/collab-maint/ca-certificates.git/commit/?id=c5f9e62eb3a307ccb3d581dba7c38d19b6a5ba87 Is there something blocking that 2.11 upload? I have also prepared an upload for jessie and wheezy that would fix this bug, attached. I wonder, however, what the correct course of action is considering that you have that 2.11 update pending - shouldn't we just trickle down certdata.txt down into all suites? Let me know how we should process this, A. From 9ac1618482517826a10a9dc0a49c8b3bc5595cb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?=Date: Thu, 6 Jul 2017 13:28:22 -0400 Subject: [PATCH] merge in NMU for #858539 --- debian/changelog | 9 + mozilla/blacklist.txt | 16 2 files changed, 25 insertions(+) diff --git a/debian/changelog b/debian/changelog index a6b8b1e..88a7f1d 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +ca-certificates (20141019+deb8u4) jessie; urgency=medium + + [ Chris Lamb ] + * Non-maintainer upload. + * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are +now untrusted by the major browser vendors. Closes: #858539 + + -- Antoine Beaupré Thu, 06 Jul 2017 13:18:47 -0400 + ca-certificates (20141019+deb8u3) jessie; urgency=medium [ Michael Shuler ] diff --git a/mozilla/blacklist.txt b/mozilla/blacklist.txt index 911f9f1..6ea1732 100644 --- a/mozilla/blacklist.txt +++ b/mozilla/blacklist.txt @@ -5,3 +5,19 @@ # DigiNotar Root CA (see debbug#639744) "DigiNotar Root CA" + +# StartCom and WoSign certificates are now untrusted by the major browser +# vendors[0]. See [1] for discussion. The list was generated by: +# +# $ egrep 'WoSign|StartCom' mozilla/certdata.txt \ +# | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq +# +# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ +# [1] https://bugs.debian.org/858539 +# +"StartCom Certification Authority" +"StartCom Certification Authority G2" +"WoSign" +"WoSign China" +"Certification Authority of WoSign G2" +"CA WoSign ECC Root" -- 2.11.0 From 68c8120346a4b7dfae0dca9ccc44d8d78e632700 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antoine=20Beaupr=C3=A9?= Date: Thu, 6 Jul 2017 13:34:53 -0400 Subject: [PATCH] merge in NMU for #858539 --- debian/changelog | 9 + mozilla/blacklist.txt | 16 2 files changed, 25 insertions(+) diff --git a/debian/changelog b/debian/changelog index 013e86e..38c035e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +ca-certificates (20130119+deb7u3) wheezy-security; urgency=medium + + [ Chris Lamb ] + * Non-maintainer upload. + * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are +now untrusted by the major browser vendors. Closes: #858539 + + -- Antoine Beaupré Thu, 06 Jul 2017 13:33:56 -0400 + ca-certificates (20130119+deb7u2) oldstable; urgency=medium * mozilla/{certdata.txt,nssckbi.h}: diff --git a/mozilla/blacklist.txt b/mozilla/blacklist.txt index 911f9f1..6ea1732 100644 --- a/mozilla/blacklist.txt +++ b/mozilla/blacklist.txt @@ -5,3 +5,19 @@ # DigiNotar Root CA (see debbug#639744) "DigiNotar Root CA" + +# StartCom and WoSign certificates are now untrusted by the major browser +# vendors[0]. See [1] for discussion. The list was generated by: +# +# $ egrep 'WoSign|StartCom' mozilla/certdata.txt \ +# | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq +# +# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ +# [1] https://bugs.debian.org/858539 +# +"StartCom Certification Authority" +"StartCom Certification Authority G2" +"WoSign" +"WoSign China" +"Certification Authority of WoSign G2" +"CA WoSign ECC Root" -- 2.11.0 signature.asc Description: PGP signature
Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hello folks, I wanted to register a voice of dissent here. I don't think "embarrassment" justifies breaking people's working and valid certificates in this way. This is only barely a security issue - StartCom and WoSign were being punished for not following the rules. The reduced trust in their their roots was not caused by any actual user harm, it was a punitive measure to show the world that certificate authorities cannot get away with flouting the rules. All they did was fudge some dates to help their customers work around issues caused by the forced SHA-1 deprecation. The browser vendors recognized this and took special care to design the punishment in a way that wouldn't break existing sites. That is why there is a cut-off date involved. Debian's participation in this is not necessary to punish these vendors; the browsers have that well in hand! I have not seen any explanation of why this is actually a security concern, as far as I can tell, all Debian is accomplishing here is to hurt its own users and innocent third parties. I am one such party; this impacts me (and my users), because pagekite (as packaged and shipped by Debian) is connecting to servers that use an pre-cut-off TLS certificate, a certificate that has no security issues. Due to complicating factors at my end (a lot of my users are in an embedded environment where updates are difficult), it is not easy for me to change certificates. Others may be in the same boat; I think it's safe to assume that anyone still using a StartCom cert is doing so because their circumstance makes migration difficult. Thanks for listening and thanks for your work on Debian, - Bjarni -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBCgAGBQJZMZOMAAoJEI4ANxYAz5SRsYcIAJM+hG7/7DCGUpG29z+wtqSt PyX4e2nQTUnaySXYUpLlDSTYxxQVVaphm4uvY6FwsY27umxqlN7SvFrfylHiiSaV LyKld7T2N/r0xAB3SfAMY0M3z/3WvADUUolHlsU6ju9RRwBAoNKqVRT/c9BPBsF5 CQW95MgGkMamIGeRgTL8uGBYBuZIEgK7ozHsthXu6jsh7DQWNuSngklTuDulEnhT zlptlilwl3/9s19NMXmF07nc1b0YFfWtj+SDCZtW2LpyDxoHCOZRnwVkJl7odqag uQ5ltV24VCuosGQRpaWr4q0PHXkLpbcnDUpPCpzcBSy3pyflPmEFMbGkXDWgZdA= =B3aE -END PGP SIGNATURE-
Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates
On 05/19/2017 10:07 AM, Chris Lamb wrote: > I've uploaded ca-certificates 20161130+nmu1 to DELAYED/5: > > ca-certificates (20161130+nmu1) unstable; urgency=medium > > * Non-maintainer upload. > * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they > are > now untrusted by the major browser vendors. Closes: #858539 Thank you for the NMU, Chris, I'm good with that change. -- Kind regards, Michael signature.asc Description: OpenPGP digital signature
Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates
tags 858539 + pending patch thanks I've uploaded ca-certificates 20161130+nmu1 to DELAYED/5: ca-certificates (20161130+nmu1) unstable; urgency=medium * Non-maintainer upload. * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are now untrusted by the major browser vendors. Closes: #858539 The full debdiff is attached. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `- diffstat for ca-certificates-20161130 ca-certificates-20161130+nmu1 debian/changelog |8 mozilla/blacklist.txt | 16 2 files changed, 24 insertions(+) diff -Nru ca-certificates-20161130/debian/changelog ca-certificates-20161130+nmu1/debian/changelog --- ca-certificates-20161130/debian/changelog 2016-12-01 04:20:53.0 +0100 +++ ca-certificates-20161130+nmu1/debian/changelog 2017-05-19 16:53:16.0 +0200 @@ -1,3 +1,11 @@ +ca-certificates (20161130+nmu1) unstable; urgency=medium + + * Non-maintainer upload. + * Add StartCom and WoSign certificates to mozilla/blacklist.txt as they are +now untrusted by the major browser vendors. Closes: #858539 + + -- Chris LambFri, 19 May 2017 16:53:16 +0200 + ca-certificates (20161130) unstable; urgency=medium [ Philipp Kern ] diff -Nru ca-certificates-20161130/mozilla/blacklist.txt ca-certificates-20161130+nmu1/mozilla/blacklist.txt --- ca-certificates-20161130/mozilla/blacklist.txt 2016-11-03 08:40:01.0 +0100 +++ ca-certificates-20161130+nmu1/mozilla/blacklist.txt 2017-05-19 16:53:16.0 +0200 @@ -5,3 +5,19 @@ # DigiNotar Root CA (see debbug#639744) "DigiNotar Root CA" + +# StartCom and WoSign certificates are now untrusted by the major browser +# vendors[0]. See [1] for discussion. The list was generated by: +# +# $ egrep 'WoSign|StartCom' mozilla/certdata.txt \ +# | grep UTF | sed 's/CKA_LABEL UTF8 //' | uniq +# +# [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ +# [1] https://bugs.debian.org/858539 +# +"StartCom Certification Authority" +"StartCom Certification Authority G2" +"WoSign" +"WoSign China" +"Certification Authority of WoSign G2" +"CA WoSign ECC Root"
Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates
severity 858539 serious thanks We should not release stretch with these certificates; not only would it be embarrassing to do so given that they have ceased to work in modern browsers for some time, we are also simply putting our users at risk. Whilst there will be more CA screwups in the future, we should release with our reasonable best effort, which surely means "just" removing these. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates
On Mon, Mar 27, 2017 at 10:39:17AM -0400, Antoine Beaupre wrote: > On Thu, Mar 23, 2017 at 09:25:42AM -0500, Michael Shuler wrote: > > Thanks for the report, Chris. > > Any timeline for this deployment? Do you need help with patching this > in? Actually, I'm not sure I understand what's going on here. While Mozilla announced they would stop trusting WoSign, they didn't actually remove the trust roots from the store. Indeed, they said they "may choose to remove them at any point after March 2017", which they haven't done yet. WoSign and StartCom are still both here: https://mozillacaprogram.secure.force.com/CA/CACertificatesInFirefoxReport and here: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt ... the latter seemingly being the source for our own certdata.txt. That said, Mozilla should refuse certs issued after October 21, 2016, something we can't do ourselves. So the patch would probably be to add this to the blacklist.txt file: "StartCom Certification Authority" "StartCom Certification Authority" "StartCom Certification Authority" "StartCom Certification Authority" "StartCom Certification Authority G2" "StartCom Certification Authority G2" "WoSign" "WoSign" "WoSign China" "WoSign China" "Certification Authority of WoSign G2" "Certification Authority of WoSign G2" "CA WoSign ECC Root" "CA WoSign ECC Root" This list was generated with: egrep 'WoSign|StartCom' mozilla/certdata.txt | grep UTF | sed 's/CKA_LABEL UTF8 //' I hope that helps! A. signature.asc Description: PGP signature
Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates
Antoine, > Any timeline for this deployment? Thu 23 09:12 < jmm_> next point release. along with the generic ca-cerficates refresh Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates
On Thu, Mar 23, 2017 at 09:25:42AM -0500, Michael Shuler wrote: > Thanks for the report, Chris. Any timeline for this deployment? Do you need help with patching this in? A. signature.asc Description: PGP signature
Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates
Michael Shuler wrote: > libnss performs date checks on certs signed by these roots […] > Blacklisting StartCom and WoSign roots will possibly invalidate some > user's pre- Oct 21, 2016 valid certificates, but I think that is > probably OK. I agree :) Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-
Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates
On 03/23/2017 04:02 AM, Chris Lamb wrote: > StartCom and WoSign certificates are now untrusted by the major browser > vendors[0][1], making websites that use certs from these vendors > inaccessible. I followed these events on dev-security-policy and libnss performs date checks on certs signed by these roots, which ca-certificates has no facility to perform. > However, as this is not reflected in ca-certificates, tools such as curl > still intepret these as valid/secure. Blacklisting StartCom and WoSign roots will possibly invalidate some user's pre- Oct 21, 2016 valid certificates, but I think that is probably OK. > (This has a knock-on effect that health-check tools that use the output > of such tools to determine whether a site is "up" — eg. updown.io — will > misleadingly imply that the site is available to users when, in all > practical senses, they are not.) > > I would suggest we remove the offending authorities from ca-certificates > as soon as possible. > > > [0] > https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ > [1] My installation "chrome-stable" rejects them as well. Thanks for the report, Chris. -- Kind regards, Michael
Bug#858539: ca-certificates: Contains untrusted StartCom and WoSign certificates
Package: ca-certificates Version: 20141019+deb8u2 Severity: important Tags: security Hi, StartCom and WoSign certificates are now untrusted by the major browser vendors[0][1], making websites that use certs from these vendors inaccessible. However, as this is not reflected in ca-certificates, tools such as curl still intepret these as valid/secure. (This has a knock-on effect that health-check tools that use the output of such tools to determine whether a site is "up" — eg. updown.io — will misleadingly imply that the site is available to users when, in all practical senses, they are not.) I would suggest we remove the offending authorities from ca-certificates as soon as possible. [0] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ [1] My installation "chrome-stable" rejects them as well. Regards, -- ,''`. : :' : Chris Lamb `. `'` la...@debian.org / chris-lamb.co.uk `-