Accueil » Trisquel » Tickets
Soumis par lembas le jeu, 05/17/2012 - 19:47

Abrowser comes with a bad root certificate

Projet:Trisquel
Composant:Programs
Catégorie:Rapporter un bogue
Priorité:critical
Attribué:Non assigné
Statut:closed
Description

If I got this right, following the breach of the Diginotar CA also the "Staat der Nederlanden" root certificate was revoked. However it is currently included in 5.5.

(This might be a problem with the LTS versions as well.)

References http://en.wikipedia.org/wiki/Diginotar

SirGrant:
dim, 05/20/2012 - 00:17
Statut:active» needs more info

I looked at this guide from mozilla on how to remove the certificate and could not find it in the options.

Also mozilla has removed it since firefox version 6.0.02 and 3.6.22 it shouldn't be an issue. This is because the lowest version of abrowser even in slaine should have this fix. However if someone does show this certificate please post it. I am going to check slaine in a virtual machine to see if it happens. Lembas you say you have it in your version of 5.5. Could you please confirm.

SirGrant:
dim, 05/20/2012 - 02:10

I tried it in version 4.0.1. On the default install which uses abrowser 3.x the problem occurs but after updating abrowser through the update manager it appears to be fixed. So I can not reproduce the problem on any updated versions of Trisquel.

lembas:
dim, 05/20/2012 - 08:36

To make it clear, the DigiNotar certificate wasn't there but the Staat was on a virgin 5.5.

I did not update which might fix it, unless we're talking about a LiveCD.

SirGrant:
dim, 05/20/2012 - 09:53

Oh I was specifically refering to DigiNotar. As far as Staat goes I would look at this blog post on the mozilla security blog. I would see the section specifically titled "Staat der Nederlanden Certificates"

I'm not totally clear if the Staat ones were compromised.

lembas:
lun, 05/21/2012 - 08:58

To me it reads they initially thought the Staat ones would still be good but after an investigation decided otherwise.

SirGrant:
lun, 05/28/2012 - 21:51

I think this is mozilla's position:

"Mozilla believes that the exemption for certificates under Staat der Nederlanden roots is justified, and it is in line with what other browsers are doing (which used different technical measures which made an exception unnecessary). We will be posting on the security blog soon with a fuller explanation of this. The comment in the source code is not the full story.

Gerv"

SirGrant:
mar, 08/21/2012 - 18:39
Statut:needs more info» closed

Marking as closed: 12 weeks with no response and no conclusion if we need to for sure remove the certificates. If new information comes up please re-open this issue and post the new information.