Feeds

Google might shun Dutch gov certificates from DigiNotar

Chrome update prepared to kill 2 certs

5 things you didn’t know about cloud backup

Updated In the wake of hundreds of fraudulent secure sockets layer certificates issued by DigiNotar, Google developers are preparing a version of the Chrome browser that rejects some web credentials sanctioned by the Dutch government's official certificate authority.

Source code posted Thursday afternoon California time on Google's own website would prevent Chrome from trusting any secure website signed by DigiNotar under an official program set up by the Dutch government. It was set up under the auspices of PKIoverheid, the official certificate authority of the Netherlands.

After this article was first published, Mozilla developers implemented a similar change that will cause users to receive a warning when they encounter PKIoverheid certificates signed by DigiNotar. It's unclear when the changes will take effect in Firefox, Thunderbird or SeaMonkey. Mozilla representatives didn't respond to an email request comment.

Shortly after Monday's discovery that DigiNotar had issued a fraudulent google.com certificate that was used to spy on people in Iran who accessed Gmail, Google, Mozilla, and Microsoft updated their software so it would no longer trust the Netherlands-based certificate authority. What Google and Mozilla, and possibly Microsoft as well, never said in their advisories was that their browsers and email applications would continue to trust two DigiNotar certificates that were linked to PKIoverheid.

All three software makers have ducked questions for three days, but a handful of web-based discussions show members of some of them arguing that the PKIoverheid-signed intermediate certificates can still be trusted. On Friday, around the same time this article was first published, Google issued its first on-the-record comment indicating the blocking of the DigiNotar-issued PKIoverheid certificates was under active discussion.

"We're currently evaluating a number of factors, and we want to be prepared to act if we need to," a spokesman wrote in an email. "Our top priority is to protect the privacy and security of our users. To be clear, in this instance we are considering a CA operated by DigiNotar, not the Staat de Nederlanden root CA. We encourage DigiNotar to provide a complete analysis of the situation."

It's unclear if or when Google intends to implement the planned changes. A few hours after the Chromium differential was posted publicly, access to it became restricted. A volunteer Chromium developer said the source code was a sign that at least some people inside Google may have reservations.

“The fact that Google is taking this preparatory step may be anticipating the worst,” said Ryan Sleevi, a who has contributed code to the Chromium project in the past. “It also seems to suggest that they may have information that PKIoverheid has been compromised or otherwise is untrustworthy through its link to Diginotar. PKIoverheid doesn't appear to have done anything wrong other than associating with DigiNotar.”

It's unclear how many website certificates might be affected by the move, but the number and profile of sites that use DigiNotar's PKIoverheid certificate could be considerably higher than those that rely on DigiNotar's root certificate alone. The site at https://www.nicugehoorscreening.nl appears to offer neonatal intensive care unit services from the Dutch government.

It appears as a valid SSL site under Google Chrome. If the changes under consideration are made, the browser would return an error that it's not to be trusted.

On Thursday, Mozilla Vice President of Technical Strategy Mike Shaver issued a series of tweets that appeared to indicate developers of the Firefox browser and Thunderbird email client were inclined to continue trusting the intermediate certificates. Responding to one Twitter dispatch asking what in one of the excepted certificates suggested it wasn't controlled by DigiNotar, Shaver offered the following response:

“nothing in the cert does. our conversations with the dutch authorities do. it doesn't chain to digitar *root*, right?”

A separate tweet posted Wednesday by Google security researcher Adam Langley said: “PKIoverheid is still allowed for now based on assurances from the Dutch government. Conversation still ongoing.”

Microsoft declined to say whether changes it has made to the Vista and later operating systems block the two PKIoverheid certificates signed by DigiNotar.

The relevant code in the version of Chromium is as follows:

Index: net/base/x509_certificate.cc
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc
index e96ece490ad4c32fafb735671317dae35115151e..36b0ed2bfcbf315595eb779922026c954db7d5b9 100644
--- a/net/base/x509_certificate.cc
+++ b/net/base/x509_certificate.cc
@@ -957,7 +957,7 @@ bool X509Certificate::IsBlacklisted() const {
 // static
 bool X509Certificate::IsPublicKeyBlacklisted(
     const std::vector<SHA1Fingerprint>& public_key_hashes) {
-  static const unsigned kNumHashes = 3;
+  static const unsigned kNumHashes = 5;
   static const uint8 kHashes[kNumHashes][base::SHA1_LENGTH] = {
     // Subject: CN=DigiNotar Root CA
     // Issuer: CN=Entrust.net x2 and self-signed
@@ -971,6 +971,14 @@ bool X509Certificate::IsPublicKeyBlacklisted(
     // Issuer: CN=Entrust.net
     {0xe2, 0x3b, 0x8d, 0x10, 0x5f, 0x87, 0x71, 0x0a, 0x68, 0xd9,
      0x24, 0x80, 0x50, 0xeb, 0xef, 0xc6, 0x27, 0xbe, 0x4c, 0xa6},
+    // Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2
+    // Issuer: CN=Staat der Nederlanden Organisatie CA - G2
+    {0x7b, 0x2e, 0x16, 0xbc, 0x39, 0xbc, 0xd7, 0x2b, 0x45, 0x6e,
+     0x9f, 0x05, 0x5d, 0x1d, 0xe6, 0x15, 0xb7, 0x49, 0x45, 0xdb},
+    // Subject: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven
+    // Issuer: CN=Staat der Nederlanden Overheid CA
+    {0xe8, 0xf9, 0x12, 0x00, 0xc6, 0x5c, 0xee, 0x16, 0xe0, 0x39,
+     0xb9, 0xf8, 0x83, 0x84, 0x16, 0x61, 0x63, 0x5f, 0x81, 0xc5},
   };
 
   for (unsigned i = 0; i < kNumHashes; i++) {

It clearly shows two additional DigiNotar certificates, including their serial numbers, that would be blocked if the changes go into effect.

Asked why the source code was originally accessible to everyone and later was restricted, a Google spokesman said: “Code diffs may be private before they are committed. Commits to the tree will of course be public.”

Secure remote control for conventional and virtual desktops

More from The Register

next story
One HUNDRED FAMOUS LADIES exposed NUDE online
Celebrity women victimised as Apple iCloud accounts reportedly popped
Rubbish WPS config sees WiFi router keys popped in seconds
Another day, another way in to your home router
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NZ Justice Minister scalped as hacker leaks emails
Grab your popcorn: Subterfuge and slur disrupts election run up
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.