User: Password:
|
|
Subscribe / Log in / New account

Fraudulent certificates in the wild — again

Fraudulent certificates in the wild — again

Posted Jan 3, 2013 20:04 UTC (Thu) by mjg59 (subscriber, #23239)
In reply to: Fraudulent certificates in the wild — again by josh
Parent article: Fraudulent certificates in the wild — again

"Mozilla is actively revoking trust for the two mis-issued certificates which will be released to all supported versions of Firefox in the next update on Tuesday 8th January.

We have also suspended inclusion of the “TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş. (c) Aralık 2007” root certificate, pending further review."

From https://blog.mozilla.org/security/2013/01/03/revoking-tru...


(Log in to post comments)

Fraudulent certificates in the wild — again

Posted Jan 3, 2013 20:06 UTC (Thu) by josh (subscriber, #17465) [Link]

Excellent! Thanks for the link.

I wonder why Google didn't do the same thing for Chrome?

Fraudulent certificates in the wild — again

Posted Jan 3, 2013 20:11 UTC (Thu) by cjr (subscriber, #88606) [Link]

Ironically, the certificate for that site was issued to blog.mozilla.com (rather than blog.mozilla.org), so I got a certificate error when I went to read that article.

Fraudulent certificates in the wild — again

Posted Jan 3, 2013 21:02 UTC (Thu) by josh (subscriber, #17465) [Link]

The certificate looks good here; it shows the hostname as blog.mozilla.org. What certificate did you get?

Fraudulent certificates in the wild — again

Posted Jan 3, 2013 21:10 UTC (Thu) by cesarb (subscriber, #6266) [Link]

He probably is using an older browser without support for Server Name Indication.

$ host blog.mozilla.com
blog.mozilla.com is an alias for blog.mozilla.org.
blog.mozilla.org has address 63.245.217.99
blog.mozilla.org has IPv6 address 2620:101:8008:5::2:5

$ openssl s_client -showcerts -connect 63.245.217.99:443
[...]
Server certificate
subject=/serialNumber=PJYd6s/lzd2zfglc6EAG5C/hVZfSySVY/C=US/ST=California/L=Mountain View/O=Mozilla Corporation/OU=IT/CN=blog.mozilla.com
issuer=/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
[...]

With the latest Firefox, I get the certificate for CN=blog.mozilla.org, instead of the one for CN=blog.mozilla.com. This probably means the server is using SNI to select the correct certificate, and since his older browser did not support it, the server did not know which certificate to use and sent the wrong one.

Fraudulent certificates in the wild — again

Posted Jan 3, 2013 21:14 UTC (Thu) by cjr (subscriber, #88606) [Link]

Interesting, thanks for the information. Indeed, I am using IE8 on Windows XP, which does not appear to support Server Name Indication.

Fraudulent certificates in the wild — again

Posted Jan 4, 2013 13:53 UTC (Fri) by bbaetz (subscriber, #42501) [Link]

Windows XP doesn't support SNI, and IE uses the windows libraries for SSL (Chrome may too - not sure). Firefox uses its own (NSS) so isn't tied to the windows version. Which is the main reason why SNI use hasn't really taken off - its only in the last year that people have been able to really stop supporting ie6 (with Google being big enough to not supporting ie8, a few other sites are starting to match). Not supporting winXP on your website (which is what SNI effectively requires) is a lot further off - at best 2014 (when Microsoft stops supporting it)

Fraudulent certificates in the wild — again

Posted Jan 5, 2013 0:37 UTC (Sat) by Lennie (guest, #49641) [Link]

Chrome used to do that, in the first few versions. Until 4 or something like that, which is ages ago and no1 should be using that anymore.

All versions of IE and Safari on XP or 2000 do not support SNI.

But also almost 50% of all Android phones do not support SNI, because Android 2.x does not support SNI.

Fraudulent certificates in the wild — again

Posted Jan 4, 2013 0:12 UTC (Fri) by csamuel (✭ supporter ✭, #2624) [Link]

Note that the CA root cert mentioned there is *not* the current one in Firefox, the Mozilla post has been updated to say:
Update: For clarification, the last sentence of this post references our actions to suspend inclusion of a TURKTRUST root certificate. There are currently two TURKTRUST root certificates included in Mozilla’s CA Certificate program. TURKTRUST had requested that a newer root certificate be included, and their request had been approved and was in Firefox 18 beta. However, due to the mis-issued intermediate certificates, we decided to suspend inclusion of their new root certificate for now.
The one currently in Firefox is the (c) 2005 certificate.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds