Original URL: http://www.theregister.co.uk/2011/09/02/google_chrome_diginotar/

Google might shun Dutch gov certificates from DigiNotar

Chrome update prepared to kill 2 certs

By Dan Goodin

Posted in Security, 2nd September 2011 16:57 GMT

Updated In the wake of hundreds of fraudulent secure sockets layer certificates issued by DigiNotar, Google developers are preparing a version of the Chrome browser that rejects some web credentials sanctioned by the Dutch government's official certificate authority.

Source code posted Thursday afternoon California time on Google's own website would prevent Chrome from trusting any secure website signed by DigiNotar under an official program set up by the Dutch government. It was set up under the auspices of PKIoverheid, the official certificate authority of the Netherlands.

After this article was first published, Mozilla developers implemented a similar change that will cause users to receive a warning when they encounter PKIoverheid certificates signed by DigiNotar. It's unclear when the changes will take effect in Firefox, Thunderbird or SeaMonkey. Mozilla representatives didn't respond to an email request comment.

Shortly after Monday's discovery that DigiNotar had issued a fraudulent google.com certificate that was used to spy on people in Iran who accessed Gmail, Google, Mozilla, and Microsoft updated their software so it would no longer trust the Netherlands-based certificate authority. What Google and Mozilla, and possibly Microsoft as well, never said in their advisories was that their browsers and email applications would continue to trust two DigiNotar certificates that were linked to PKIoverheid.

All three software makers have ducked questions for three days, but a handful of web-based discussions show members of some of them arguing that the PKIoverheid-signed intermediate certificates can still be trusted. On Friday, around the same time this article was first published, Google issued its first on-the-record comment indicating the blocking of the DigiNotar-issued PKIoverheid certificates was under active discussion.

"We're currently evaluating a number of factors, and we want to be prepared to act if we need to," a spokesman wrote in an email. "Our top priority is to protect the privacy and security of our users. To be clear, in this instance we are considering a CA operated by DigiNotar, not the Staat de Nederlanden root CA. We encourage DigiNotar to provide a complete analysis of the situation."

It's unclear if or when Google intends to implement the planned changes. A few hours after the Chromium differential was posted publicly, access to it became restricted. A volunteer Chromium developer said the source code was a sign that at least some people inside Google may have reservations.

“The fact that Google is taking this preparatory step may be anticipating the worst,” said Ryan Sleevi, a who has contributed code to the Chromium project in the past. “It also seems to suggest that they may have information that PKIoverheid has been compromised or otherwise is untrustworthy through its link to Diginotar. PKIoverheid doesn't appear to have done anything wrong other than associating with DigiNotar.”

It's unclear how many website certificates might be affected by the move, but the number and profile of sites that use DigiNotar's PKIoverheid certificate could be considerably higher than those that rely on DigiNotar's root certificate alone. The site at https://www.nicugehoorscreening.nl appears to offer neonatal intensive care unit services from the Dutch government.

It appears as a valid SSL site under Google Chrome. If the changes under consideration are made, the browser would return an error that it's not to be trusted.

On Thursday, Mozilla Vice President of Technical Strategy Mike Shaver issued a series of tweets that appeared to indicate developers of the Firefox browser and Thunderbird email client were inclined to continue trusting the intermediate certificates. Responding to one Twitter dispatch asking what in one of the excepted certificates suggested it wasn't controlled by DigiNotar, Shaver offered the following response:

“nothing in the cert does. our conversations with the dutch authorities do. it doesn't chain to digitar *root*, right?”

A separate tweet posted Wednesday by Google security researcher Adam Langley said: “PKIoverheid is still allowed for now based on assurances from the Dutch government. Conversation still ongoing.”

Microsoft declined to say whether changes it has made to the Vista and later operating systems block the two PKIoverheid certificates signed by DigiNotar.

The relevant code in the version of Chromium is as follows:

Index: net/base/x509_certificate.cc
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc
index e96ece490ad4c32fafb735671317dae35115151e..36b0ed2bfcbf315595eb779922026c954db7d5b9 100644
--- a/net/base/x509_certificate.cc
+++ b/net/base/x509_certificate.cc
@@ -957,7 +957,7 @@ bool X509Certificate::IsBlacklisted() const {
 // static
 bool X509Certificate::IsPublicKeyBlacklisted(
     const std::vector<SHA1Fingerprint>& public_key_hashes) {
-  static const unsigned kNumHashes = 3;
+  static const unsigned kNumHashes = 5;
   static const uint8 kHashes[kNumHashes][base::SHA1_LENGTH] = {
     // Subject: CN=DigiNotar Root CA
     // Issuer: CN=Entrust.net x2 and self-signed
@@ -971,6 +971,14 @@ bool X509Certificate::IsPublicKeyBlacklisted(
     // Issuer: CN=Entrust.net
     {0xe2, 0x3b, 0x8d, 0x10, 0x5f, 0x87, 0x71, 0x0a, 0x68, 0xd9,
      0x24, 0x80, 0x50, 0xeb, 0xef, 0xc6, 0x27, 0xbe, 0x4c, 0xa6},
+    // Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2
+    // Issuer: CN=Staat der Nederlanden Organisatie CA - G2
+    {0x7b, 0x2e, 0x16, 0xbc, 0x39, 0xbc, 0xd7, 0x2b, 0x45, 0x6e,
+     0x9f, 0x05, 0x5d, 0x1d, 0xe6, 0x15, 0xb7, 0x49, 0x45, 0xdb},
+    // Subject: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven
+    // Issuer: CN=Staat der Nederlanden Overheid CA
+    {0xe8, 0xf9, 0x12, 0x00, 0xc6, 0x5c, 0xee, 0x16, 0xe0, 0x39,
+     0xb9, 0xf8, 0x83, 0x84, 0x16, 0x61, 0x63, 0x5f, 0x81, 0xc5},
   };
 
   for (unsigned i = 0; i < kNumHashes; i++) {

It clearly shows two additional DigiNotar certificates, including their serial numbers, that would be blocked if the changes go into effect.

Asked why the source code was originally accessible to everyone and later was restricted, a Google spokesman said: “Code diffs may be private before they are committed. Commits to the tree will of course be public.”

Bring us the head of DigiNotar

As the Google statement suggests, DigiNotar has so far released few details about counterfeit SSL certificates that were signed with its root key. DigiNotar's parent company, an Illinois-based supplier of two-factor authentication products called Vasco Data Security, waited more than 24 hours after the bogus Google certificate was first spotted in the wild to admit its subsidiary had suffered a security 41 days earlier that resulted in the issuance of fraudulent certificates for “a number” of websites, including Google's.

A spokesman for DigiNotar later told IDG News that the breach affected “several dozen” websites but didn't say which ones. Meanwhile, an update to Google Chrome blacklisted a total of 247 certificates that were described as “Bad DigiNotar leaf certificates for non-Google sites.”

Mozilla has since said its site hosting powerful addons for Firefox and Thunderbird was also affected, lending credence to a report that claimed bogus certificates for websites belonging to Yahoo, the Tor Project, WordPress and the Baladin blogging service in Iran were also generated.

Tor Project programmer Jacob Appelbaum recently said that he uncovered evidence that DigiNotar issued a total of 12 bogus certificates for the anonymity service's website, and contrary to claims from the Dutch certificate authority, he can find no evidence any of them have been revoked.

Given DigiNotar's failure to disclose the breach and assure the world it's cleaning up the mess it created, it's understandable that browser makers would have doubts about any certificate that's chained to the CA's root certificate. One can only hope that DigiNotar insecurity is an exception among CAs. If blocking just one is this hard, imagine what it would be like blocking even a small fraction of the thousands of others. ®