Block shady SSL certificates

By Jaaap on Wednesday 31 August 2011 17:37 - Comments (22)
Category: -, Views: 5.765

What's up?
There's been a lot of news lately regarding problems with SSL certificates.
IMHO, once a Root CA messes up and makes even one tiny mistake, they should be banned for life.
Who should you block?
CNNIC
This is a Root CA owned by the Chinese government.
This effectively means that the Chinese government can do a man-in-the-middle-attack on any SSL connection that is routed through their network (mostly to a .cn webserver or from a chinese client).
Since the chionese, like the iranians, are known to violate their citizens privacy, you cannot trust them with a Root CA and theirfore they should be blocked.

Shame on Mozilla for adding this certificate to Firefox.
Comodo
Comodo has issued fraudulent SSL certificates after being hacked. They obviously don't have their security on a sufficiently high level.
DigiNotar
DigiNotar's fraudulent SSL certificates have been used by the Iranian government to spy on their citizens. They knew they were hacked 6 months ago, blocked a couple of the hacked certificates but forgot one for *.google.com.
They currently do not know if any more hacked certificates are out there.
How can i block these certificates?
Firefox
Go to Preferences -> Advanced -> Encryption -> View certificates, select the certificates you don't trust and press "Delete or Distrust..." -> ok.
Safari (Mac)
Quit Safai and open Utilities -> KeyChain Access
Search for the name of what you want to block, right-click it, click "get Info", open the "Trust" block and select "Never Trust".
Internet Explorer
Go to Tools -> "Internet Options" -> Content -> Certificates -> "Trusted Root Certification Authorities" and remove the items you don't trust.

Feel free to leave a comment if i missed a Root CA or a howto for another browser.
Linux
http://www.wtfy.org/2010/03/not-to-trust-in-cnnic/

Volgende: IE9 and <select/>, why u no work? 11-'11 IE9 and <select/>, why u no work?
Volgende: CloudFlare 04-'11 CloudFlare

Comments


By Tweakers user karstnl, Wednesday 31 August 2011 17:56

Thanks a lot, although i though there were more issues out there, than just these three.

[Comment edited on Wednesday 31 August 2011 20:11]


By Tweakers user Jaaap, Wednesday 31 August 2011 18:14

karstnl wrote on Wednesday 31 August 2011 @ 17:56:
Thanks a lot, although i though there were more issues out than just these three.
Please name them here.

By Tweakers user Jaaap, Wednesday 31 August 2011 18:20

Ok there's the MD5 problem:
http://tycoontalk.freelan...um/164113-ssl-hacked.html

Luckily Firefox doesn't do MD5 for SSL anymore:
http://blog.servertastic....op-accepting-md5-hash-alg

[Comment edited on Wednesday 31 August 2011 18:28]


By Tweakers user ZpAz, Wednesday 31 August 2011 18:40

Goed, je kan DigiNotar wel blokken, maar dan kan je inloggen op sites als DigiD natuurlijk ook vergeten. Dat is belastingdienst, duo e.d.

Niet dat ik nu nog vertrouwen heb in DigiNotar maar okay

[Comment edited on Wednesday 31 August 2011 18:40]


By Tweakers user Jaaap, Wednesday 31 August 2011 18:42

ZpAz wrote on Wednesday 31 August 2011 @ 18:40:
Goed, je kan DigiNotar wel blokken, maar dan kan je inloggen op sites als DigiD natuurlijk ook vergeten. Dat is belastingdienst, duo e.d.
Ja iedereen moet voor zichzelf uitmaken of ze het risico om nu DigID te gebruiken willen nemen.
Er is een kans dat er een man-in-the-middle-attack uitgevoerd kan worden terwijl jij je belastingaangifte verstuurt.

By Tweakers user MMaI, Wednesday 31 August 2011 18:46

Jaaap wrote on Wednesday 31 August 2011 @ 18:42:
[...]

Ja iedereen moet voor zichzelf uitmaken of ze het risico om nu DigID te gebruiken willen nemen.
Er is een kans dat er een man-in-the-middle-attack uitgevoerd kan worden terwijl jij je belastingaangifte verstuurt.
dat is wel heel erg overdreven he, er zijn geen certificaten ten onrechte uitgegeven voor de digid gerelateerde domeinen...

By Tweakers user ZpAz, Wednesday 31 August 2011 18:46

Jaaap wrote on Wednesday 31 August 2011 @ 18:42:
[...]

Ja iedereen moet voor zichzelf uitmaken of ze het risico om nu DigID te gebruiken willen nemen.
Er is een kans dat er een man-in-the-middle-attack uitgevoerd kan worden terwijl jij je belastingaangifte verstuurt.
Tsja, al de regerering nu blijft bij DigiNotar (wat waarschijnlijk het geval is) dan heb je niet zoveel keus lijkt me.

By Tweakers user Jaaap, Wednesday 31 August 2011 18:50

MMaI wrote on Wednesday 31 August 2011 @ 18:46:
dat is wel heel erg overdreven he, er zijn geen certificaten ten onrechte uitgegeven voor de digid gerelateerde domeinen...
DigiNotar laat weten dat zij niet zeker weten of er nog meer valse certificaten zijn uitgegeven.
ZpAz wrote on Wednesday 31 August 2011 @ 18:46:
Tsja, al de regerering nu blijft bij DigiNotar (wat waarschijnlijk het geval is) dan heb je niet zoveel keus lijkt me.
Helaas niet :(

By Tweakers user Petervanakelyen, Wednesday 31 August 2011 19:11

Under Chrome it works like this:

Options --> Advanced options --> HTTPS/SSL --> Manage certificates --> Trusted Root Certification Authorities.

By Tim, Wednesday 31 August 2011 19:16

A word of warning to my fellow security-minded geeks:

I once removed a certificate from my browser after problems occurred at the issuing organization. From there on, I received a large number of errors visiting HTTPS sites, since the certificate was used widely - more than I expected it to be. (I removed the cert since I don't think I had the option of disabling it back then).

So please, make sure you know what you're doing. Although it will provide actual safety, it will prevent you from being able to easily use a potentially large number of websites, which is of course not to be unexpected.

By Tweakers user IStealYourGun, Wednesday 31 August 2011 20:20

There are a few companies who deliver security products that are able to do a man in the middle attack on ssl connections. An authentic certificate will make the attack completely stealth, but is not needed because you can only detect them by manually checking the certificate.

So if you are really paranoid, you better unplug the network-cable.

By Tim, Wednesday 31 August 2011 20:21

And a question as well:

When I remove all DigiNotar and Staat der Nederlanden root certificates, https://as.digid.nl/ is still being verified. When I check my root certificates again, I find that the Staat der Nederlanden root certificate has magically reappeared. What gives?

I'm using Google Chrome 14.0.835.122 beta-m on XP Home, SP3.

By Tweakers user Thralas, Wednesday 31 August 2011 21:27

This is a Root CA owned by the Chinese government.
This effectively means that the Chinese government can do a man-in-the-middle-attack on any SSL connection that is routed through their network (mostly to a .cn webserver or from a chinese client).
Dat is natuurlijk niet anders voor de Nederlandse overheid en het Staat der Nederlanden CA.
Since the chionese, like the iranians, are known to violate their citizens privacy, you cannot trust them with a Root CA and theirfore they should be blocked.
Censuur genoeg, maar dat betekent nog niet dat er grootschalige privacyinbreuk plaatsvindt (klaarblijkelijk anders in Iran)? Niet direct aanleiding om ze een CA te ontzeggen.

Wel heb je gelijk dat een Chinese CA voor veel Nederlanders weinig waarde toevoegt, eerder risico's. Dat illustreert mooi hoe de PKI-implementatie in browsers inherent stuk is.

Op eenzelfde wijze viel al voor het DigiNotar-incident te beredeneren dat DigiNotar redelijkerwijs geen legitiem certificaat aan Google zou verstrekken. Toch slikt een browser het certificaat zonder waarschuwing..

By Tweakers user LeVortex, Thursday 1 September 2011 19:41

Sommige staan er nu al niet tussen zoals diginotar en comodo, moet je soms eerst op een site gezeten hebben met een certificaat van de CA's??

By Tweakers user WHiZZi, Friday 2 September 2011 10:20

With all due respect, but blocking Comodo is really unnecessary. After the hack, Comodo made some huge changes in how to request for certificate. The whois information has to match the request and they refuse any requests with less ncryption than 2048bits.

So blocking Comodo is really unfair. As a Comodo reseller, this way you're basicly blocking a lot of customers.

By Tweakers user onok, Friday 2 September 2011 11:23

Pff, echt storm in een glas water, dit alles. Al die certificaten worden echt niet zomaar ineens onveilig. Er is niks mis met 99,9% van de certificaten die uitgegeven zijn door o.a. Diginotar. Er is geen bewijs dat deze certificaten nu onveilig zijn.

Eindgebruikers bang maken met dit soort posts is geen goeie zaak imo. Als de overheid besluit om nieuwe certificaten te gaan gebruiken moeten ze dat natuurlijk zelf weten. Maar tot die tijd kun je gewoon blijven inloggen op je DigID.

By Tweakers user Jaaap, Friday 2 September 2011 11:33

WHiZZi wrote on Friday 02 September 2011 @ 10:20:
With all due respect, but blocking Comodo is really unnecessary. After the hack, Comodo made some huge changes in how to request for certificate. The whois information has to match the request and they refuse any requests with less ncryption than 2048bits.

So blocking Comodo is really unfair. As a Comodo reseller, this way you're basicly blocking a lot of customers.
The problem is that during the time they were compromised, a hacker could have created a certificate that we don't know about which could still be abused now.

The whole SSL system is based on trust.
If you trust Comodo, don't delete the Root CA thingy.
onok wrote on Friday 02 September 2011 @ 11:23:
Pff, echt storm in een glas water, dit alles. Al die certificaten worden echt niet zomaar ineens onveilig. Er is niks mis met 99,9% van de certificaten die uitgegeven zijn door o.a. Diginotar. Er is geen bewijs dat deze certificaten nu onveilig zijn.
Well there's a fundamental design flaw in SSL that makes this all so scary:
ANY Root CA can give out a certificate for ANY domain.
This means that if DigiNotar overlooks just 1 of the "hacked" certificates, it could be for ANY domain, like google.com, ing.nl, rabobank.nl... you get the picture.

In simple terms: if you (or your browser vendor) does not block all of DigiNotar, you might be the victim of a man-in-th-middle attack on ANY domain you visit.

[Comment edited on Friday 2 September 2011 11:38]


By Tweakers user WHiZZi, Friday 2 September 2011 11:58

The question to ask yourself is:
What are the odds that my connection will be a victim of a man-in-the-middle ?
Otherwise, what will be the purpose of a hacker to hack me?

If you are this "secured" that you have to block normal CA's in order to feel yourself "safe", you might as well stop going out of the house because you might get attacked by aliens who will steal your money...

I mean, come on.. how far can you go. Some logical sense will prevent you get hijacked.. I mean, I won't go to https://digid.co.hk/nl.digid/nl/index.php and just think I'm on the digid.nl website (even if they managed to sign this domain with a DigiNotar or whatever CA).

Logical sense people, that's the whole key in this. If this can't make you feel safe, unplug your computer from the Internet and just go to the goverment building where you can talk face-to-face without DigiD ;)

By Tweakers user Jaaap, Friday 2 September 2011 12:10

I'm sorry WHiZZi but i disagree.
The problem is that even if you check that the URL is ok (like digid.nl or something) and you check that the SSL certificate is valid, you still are not safe.

The whole point of SSL to begin with was to ensure that the server you're talking to is the one you expect it to be and that the payload cannot be decrypted by someone else.

I don't really want to convince people that they should delete some Root CA's but i would like to inform them how SSL works, what its weakpoints are and what they could do to protect themselves if they wish.

By Tweakers user WHiZZi, Friday 2 September 2011 12:24

Jaaap wrote on Friday 02 September 2011 @ 12:10:
I'm sorry WHiZZi but i disagree.
The problem is that even if you check that the URL is ok (like digid.nl or something) and you check that the SSL certificate is valid, you still are not safe.
Oh, but I do agree with this. SSL intended to encrypt traffic and to give you a level of safety about the server (and domain) which you are connecting.

The disagree is this:
I don't really want to convince people that they should delete some Root CA's
This blog is intended to show how you can block, in some cases, legit CA's. Line 4 of this blog says it:
Who should you block?
Both Comodo and DigiNotar are victim of hackers or human errors. In the Comodo case, they've changed the way of requesting SSL certificates and made a huge leap forward in making it harder to request a SSL certificate.

With this blog, you basicly say to block these because a few months ago they've become victim? This gives people a wrong idea of security.

By Tweakers user TerraGuy, Friday 2 September 2011 20:02

VeriSign, the biggest CA authority, also made mistakes by giving out fake certificates (these fake MS certificates to name one). You should block VeriSign too then. And the US are known to torture people too, have killed many more (in total a million) people than the Chinese did in the past decade in name of 'freedom' and more bullshit, while the Chinese just honestly say you cannot say or do just anything you like without consequenses.

The US also tries to get as much info as possible from 'dangerous' people, normal people (bank account details etc when you fly to the US), European companies and more, so if you block China's certificates because China is not trustworthy, certainly don't forget to block everything from the US. :)

[Comment edited on Friday 2 September 2011 20:03]



Comments are closed