Firefox 6.0.2 fixes yet more DigiNotar certificate fallout

Filed Under: Featured, Firefox, Privacy

Firefox 6.0.2 has just come out, adding more protection to that provided by Firefox 6.0.1, which was necessitated by the mess caused by disgraced Dutch web security company DigiNotar.

(DigiNotar is the former Certificate Authority - or so-called "authority" - which managed to issue more than 500 bogus digital certificates in the name of major web properties such as Facebook, Twitter, Microsoft and Google; in the name of intelligence agencies such as the Mossad and the CIA; and even, it seems, in the name of other certifying authorities.)

Firefox 6.0.1 fixed Mozilla Foundation Security Advisory 2011-34, which simply pulled everything to do with DigiNotar from its list of trusted certificates. Loosely speaking, any certificate signed by DigitNotar, or any certificate signed by someone with a certificate signed by DigiNotar, and so ad infinitum, was blown out of the water.

Any website with a certificate bought through DigiNotar therefore become untrusted at once. As Mozilla quite bluntly explained in the 6.0.1 update, "sites using certificates issued by DigiNotar will need to seek another certificate vendor." And that's how it should be. A Certificate Authority isn't supposed to make mistakes of this sort - not at all, let alone to this extent.

However, Firefox 6.0.1 exempted from its blockade any DigitNotar-tainted certificates signed at the root level by the Dutch government itself, using its STAAT DER NEDERLANDEN ROOT CA signing certificate. The Dutch public service was apparently convinced that none of the certificates for which it was the root signatory had been affected by signing irregularities at DigiNotar.

It turned out that the Dutch authorities had not one, but two, Certificate Authorities of its own, and its second root certificate - imaginatively named STAAT DER NEDELANDEN ROOT CA - G2 was not exempted in Firefox 6.0.1.

This was reported as a bug, and Mozilla set about adding an additional exemption for DigiNotar-tainted certificates signed by this CA. This would have reduced the impact of the Firefox certificate blockade on the web services provided by the Dutch authorities.

In the interim, however, the Dutch government changed its mind on this exemption, so the Firefox bugfix changed from "exempt DigiNotar certificates signed by the government CA we left out last time" to "remove the DigiNotar exemption for the government CA we exempted last time."

This sort of step - vigorously disowning everything tainted by DigiNotar - is aggressive but, in my opinion, necessary. Getting into a certification relationship with company X is like buying shares in company X. If the price goes down, all shareholders lose out simultaneously. If the company goes down, you go down with it.

Let's see whether this fiasco causes the Dutch authorities to reconsider modern public service buzzwords such as "cloud" and "outsourcing"!


-
NB. This article was updated following an email from Naked Security reader Boris, who pointed out I hadn't read the Mozilla bugfix thread all the way through! The 6.0.2 patch doesn't back off slightly from its previous position of certificate blockage, as I said at first. It actually increases its extent, following the Dutch government's decision to abandon any certificates with DigiNotar in the signing chain. (Thanks, Boris.) And Dutch reader Beamzer suggested rewording the article to make it clear that the Dutch government's root certifcates themselves aren't revoked, just that having the Dutch government as a root signatory no longer exempts your DigiNotar-tainted certificates from being blocked. (Thanks, Beamzer.)

, , , , , , ,

You might like

One Response to Firefox 6.0.2 fixes yet more DigiNotar certificate fallout

  1. Tim · 1059 days ago

    Am I missing something obvious? After installing the 6.0.2 update, I can still see both 'Staat der Nederlanden' entries in the 'Authorities' tab in 'Certificate Manager'

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog