Re: Certificates with 2008 Debian weak key bug

2018-02-16 Thread Nick Lamb via dev-security-policy 
On Fri, 16 Feb 2018 11:28:41 +
Arkadiusz Ławniczak via dev-security-policy
 wrote:

>   The issue was caused by incorrect calculation of the SHA1
> fingerprint of public key. Public keys hashes stored in Certum's
> database was calculated from the Modulo key value with the Modulus
> prefix and a line ending character while the  value of public
> key from CSR was calculated and returned without these additional
> characters. So, this is the reason why the calculated fingerprint did
> not match the value from  Certum's database. Weak keys verification
> is tested each time before the new version of the software is
> deployed and also periodically as part of the test schedule.
> Unfortunately, the database of weak keys that served the tests
> contained keys hashes in incorrect formats, the parsed key was also
> in an incorrect format.   Therefore we could not recognize weak
> key in its "original" OpenSSL form. So each test returned false
> positives.

Thanks for your report Arkadiusz,

This is a reminder that just because your unit tests pass, doesn't mean
your larger system behaves how you think the unit tests mean it does. If
you want to be sure how the whole _system_ behaves (and for a CA we
certainly do want that) you're going to need to explicitly test that
whole system even if your unit tests are green.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Certificates with 2008 Debian weak key bug

2018-02-16 Thread Arkadiusz Ławniczak via dev-security-policy 
ke, please immediately 
contact the sender by e-mail or by telephone and delete this information from 
any computer. Thank you. Asseco Data Systems S.A.



-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+arkadiusz.lawniczak=assecods...@lists.mozilla.org]
 On Behalf Of Hanno Böck via dev-security-policy
Sent: Monday, February 5, 2018 5:08 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Certificates with 2008 Debian weak key bug

Hi,

I searched crt.sh for valid certificates vulnerable to the 2008 Debian weak key 
bug. (Only 2048 bit.)

Overall I found 5 unexpired certificates.

Two certificates by Certum (reported on Saturday, Certum told me "We have taken 
necessary steps to clarify this situation as soon as possible", they're not 
revoked yet):
https://crt.sh/?id=308392091=ocsp
https://crt.sh/?id=663=ocsp

Wosign:
https://crt.sh/?id=30347743
StartCom:
https://crt.sh/?id=54187884
https://crt.sh/?id=307753186

As we all know these are no longer trusted by Mozilla, I reported them 
nevertheless. No reply yet.

Old bugs never die, I recommend every CA adds a check for the Debian bug to 
their certificate issuance process.

--
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Certificates with 2008 Debian weak key bug

2018-02-06 Thread Kurt Roeckx via dev-security-policy 

On 6/02/2018 17:10, Ryan Sleevi wrote:

The BRs actually seem to allow this, which at least looks like a bug in
the BRs to me.


It is allowed, and it's not a bug. It's specifically called out in 3.2.2 of
the BRs.


It seems that under 3.2.2.3 (b) they can just copy the ccTLD from the 
domain name, which seems rather useless to me.



Kurt


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Certificates with 2008 Debian weak key bug

2018-02-06 Thread Ryan Sleevi via dev-security-policy 
On Tue, Feb 6, 2018 at 10:48 AM, Kurt Roeckx via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> On 5/02/2018 17:08, Hanno Böck wrote:
>
>> https://crt.sh/?id=308392091=ocsp
>>
>
> It has:
>  Subject:
> commonName= ftp.gavdi.pl
> countryName   = PL
>
> This looks like a combination that's not allowed. Either it's domain
> validated, in which case it should not have a countryName, or it should
> contain other fields.
>
> The BRs actually seem to allow this, which at least looks like a bug in
> the BRs to me. It would be very handy that the OIDs from the BRs where used
> to indicate which validation was used.
>

It is allowed, and it's not a bug. It's specifically called out in 3.2.2 of
the BRs.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Certificates with 2008 Debian weak key bug

2018-02-06 Thread Kurt Roeckx via dev-security-policy 

On 5/02/2018 17:08, Hanno Böck wrote:

https://crt.sh/?id=308392091=ocsp


It has:
 Subject:
commonName= ftp.gavdi.pl
countryName   = PL

This looks like a combination that's not allowed. Either it's domain 
validated, in which case it should not have a countryName, or it should 
contain other fields.


The BRs actually seem to allow this, which at least looks like a bug in 
the BRs to me. It would be very handy that the OIDs from the BRs where 
used to indicate which validation was used.


It has:
X509v3 Certificate Policies:
Policy: 1.2.616.1.113527.2.5.1.9.6.3

That OID doesn't seem to be documented in the CPS.


Kurt
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Certificates with 2008 Debian weak key bug

2018-02-05 Thread Wayne Thayer via dev-security-policy 
On Mon, Feb 5, 2018 at 4:33 PM, Alex Cohn via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> I logged two of those five certificates (https://crt.sh/?id=308392091
> and https://crt.sh/?id=307753186) to Argon, as part of a project to
> log every certificate in the censys.io database to a public CT log. I
> believe Censys found them by scanning all of IPv4 and grabbing the
> default (i.e. no SNI) certificate presented on port 443.
>
> Given that this method will not uncover every certificate ever issued,
> and that Certum isn't or wasn't checking for weak keys and isn't
> logging certificates to CT, should Mozilla ask Certum to scan every
> currently-valid certificate they have issued for weak keys?
>
> Thanks for pointing this out Alex. I would like to think that this is
required by the incident report, but it's not specifically called out, so I
added this request to the bug.

Alex
>
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Certificates with 2008 Debian weak key bug

2018-02-05 Thread Alex Cohn via dev-security-policy 
I logged two of those five certificates (https://crt.sh/?id=308392091
and https://crt.sh/?id=307753186) to Argon, as part of a project to
log every certificate in the censys.io database to a public CT log. I
believe Censys found them by scanning all of IPv4 and grabbing the
default (i.e. no SNI) certificate presented on port 443.

Given that this method will not uncover every certificate ever issued,
and that Certum isn't or wasn't checking for weak keys and isn't
logging certificates to CT, should Mozilla ask Certum to scan every
currently-valid certificate they have issued for weak keys?

Alex

On Mon, Feb 5, 2018 at 2:56 PM, Hanno Böck via dev-security-policy
 wrote:
> On Mon, 5 Feb 2018 12:07:06 -0500
> Eric Mill via dev-security-policy
>  wrote:
>
>> WoSign and StartCom are untrusted, but Certum is still trusted, right?
>
> Yes.
>
> In case that was unclear: The sentence "As we all know these are no
> longer trusted by Mozilla, ..." was referring to the chapter above,
> i.e. the three Startcom+Wosign certs, not the whole mail.
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: ha...@hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Certificates with 2008 Debian weak key bug

2018-02-05 Thread Hanno Böck via dev-security-policy 
On Mon, 5 Feb 2018 12:07:06 -0500
Eric Mill via dev-security-policy
 wrote:

> WoSign and StartCom are untrusted, but Certum is still trusted, right?

Yes.

In case that was unclear: The sentence "As we all know these are no
longer trusted by Mozilla, ..." was referring to the chapter above,
i.e. the three Startcom+Wosign certs, not the whole mail.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Certificates with 2008 Debian weak key bug

2018-02-05 Thread Wayne Thayer via dev-security-policy 
I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1435770
requesting an incident report from Certum.

On Mon, Feb 5, 2018 at 10:07 AM, Eric Mill via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> WoSign and StartCom are untrusted, but Certum is still trusted, right?
>
> Yes, the two certificates issued by Certum are trusted by Mozilla.

On Mon, Feb 5, 2018 at 11:08 AM, Hanno Böck via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
> > Hi,
> >
> > I searched crt.sh for valid certificates vulnerable to the 2008 Debian
> > weak key bug. (Only 2048 bit.)
> >
> > Overall I found 5 unexpired certificates.
> >
> > Two certificates by Certum (reported on Saturday, Certum told me "We
> > have taken necessary steps to clarify this situation as soon as
> > possible", they're not revoked yet):
> > https://crt.sh/?id=308392091=ocsp
> > https://crt.sh/?id=663=ocsp
> >
> > Wosign:
> > https://crt.sh/?id=30347743
> > StartCom:
> > https://crt.sh/?id=54187884
> > https://crt.sh/?id=307753186
> >
> > As we all know these are no longer trusted by Mozilla, I reported them
> > nevertheless. No reply yet.
> >
> > Old bugs never die, I recommend every CA adds a check for the Debian
> > bug to their certificate issuance process.
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Certificates with 2008 Debian weak key bug

2018-02-05 Thread Eric Mill via dev-security-policy 
WoSign and StartCom are untrusted, but Certum is still trusted, right?

On Mon, Feb 5, 2018 at 11:08 AM, Hanno Böck via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> Hi,
>
> I searched crt.sh for valid certificates vulnerable to the 2008 Debian
> weak key bug. (Only 2048 bit.)
>
> Overall I found 5 unexpired certificates.
>
> Two certificates by Certum (reported on Saturday, Certum told me "We
> have taken necessary steps to clarify this situation as soon as
> possible", they're not revoked yet):
> https://crt.sh/?id=308392091=ocsp
> https://crt.sh/?id=663=ocsp
>
> Wosign:
> https://crt.sh/?id=30347743
> StartCom:
> https://crt.sh/?id=54187884
> https://crt.sh/?id=307753186
>
> As we all know these are no longer trusted by Mozilla, I reported them
> nevertheless. No reply yet.
>
> Old bugs never die, I recommend every CA adds a check for the Debian
> bug to their certificate issuance process.
>
> --
> Hanno Böck
> https://hboeck.de/
>
> mail/jabber: ha...@hboeck.de
> GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



-- 
konklone.com | @konklone 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Certificates with 2008 Debian weak key bug

2018-02-05 Thread Hanno Böck via dev-security-policy 
Hi,

I searched crt.sh for valid certificates vulnerable to the 2008 Debian
weak key bug. (Only 2048 bit.)

Overall I found 5 unexpired certificates.

Two certificates by Certum (reported on Saturday, Certum told me "We
have taken necessary steps to clarify this situation as soon as
possible", they're not revoked yet):
https://crt.sh/?id=308392091=ocsp
https://crt.sh/?id=663=ocsp

Wosign:
https://crt.sh/?id=30347743
StartCom:
https://crt.sh/?id=54187884
https://crt.sh/?id=307753186

As we all know these are no longer trusted by Mozilla, I reported them
nevertheless. No reply yet.

Old bugs never die, I recommend every CA adds a check for the Debian
bug to their certificate issuance process.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy