[SECURITY] Another compromised Certificate Authority - maemo.org

freemangordon | # 1 | 2013-01-05, 19:54 | Report

Beware:

http://googleonlinesecurity.blogspot...-security.html

Fremantle Community SSU will issue an update ASAP.

Maybe Harmattan users should call Nokia Support for an update. Or it is HiFo that should do that, I don't know. Please someone from the HiFo board comment on what should Harmattan users do (in light of the "email to elop" concerns)

The Following 28 Users Say Thank You to freemangordon For This Useful Post:
ahmadamaj, casketizer, don_falcone, ersanpermana, Estel, gianko, Hurrian, joerg_rw, Joseph9560, kent_autistic, marxian, MINKIN2, misiak, munozferna, myname24, nokiabot, panjgoori, peterleinchen, pichlo, pkz, praveenchand, sbock, sixwheeledbeast, Sourav.dubey, The Wizard of Huz, thedead1440, TMavica, zlatokosi

Fuzzillogic | # 2 | 2013-01-05, 21:42 | Report

Originally Posted by freemangordon View Post

Beware:
Maybe Harmattan users should call Nokia Support for an update. Or it is HiFo that should do that, I don't know. Please someone from the HiFo board comment on what should Harmattan users do (in light of the "email to elop" concerns)

I already tried, but I doubt this would suffice. More people should mention this... no, SHOUT and B*TCH about this. Nokia's negligence so far isn't acceptable, IMNSHO.

Meanwhile, since I have incepted my device I tried to fix it myself:

Code:

~ $ ariadne mv /etc/ssl/certs/d937b34e05fdd9cf9f1216aeb6892feb253a881c.pem /etc/ssl/certs/d937b34e05fdd9cf9f1216aeb6892feb253a881c.pem.donttrust

This should disable the TURKTRUST certificate on the N9. But I still get an "access denied"

Also, this might be under the protection of Aegis (which would be a good thing) and thus might lead to a MALF next boot. My Linux-fu isn't high enough to know how to fix it... Perhaps someone else can?

The Following 3 Users Say Thank You to Fuzzillogic For This Useful Post:
freemangordon, joerg_rw, peterleinchen

coderus | # 3 | 2013-01-05, 21:51 | Report

ssl certs are not under aegis protection
just enter full credentials mode by "ariadne sh" and then move/delete untrusted cert

The Following 3 Users Say Thank You to coderus For This Useful Post:
joerg_rw, misiak, Sourav.dubey

rainisto | # 4 | 2013-01-05, 22:20 | Report

if you want the 'proper' way to remove it, then the right command would be:

opensh -c "acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca -r d937b34e05fdd9cf9f1216aeb6892feb253a881c"

This assumes that you have installed opensh with all the capas. You can run the acmcli with all capa inception shell too.

The Following 10 Users Say Thank You to rainisto For This Useful Post:
ck2nb, don_falcone, freemangordon, Fuzzillogic, Hurrian, joerg_rw, misiak, praveenchand, Sourav.dubey, thedead1440

Fuzzillogic | # 5 | 2013-01-05, 22:31 | Report

Thanks rainisto, that fixed it

The aegis-certman-common-ca package installed the certificates into /usr/share/aegis-certman-common-ca, any idea if that is used for something? The turktrust certificate over there can be (re)moved using more conventional ways tho.

rainisto | # 6 | 2013-01-05, 22:46 | Report

you don't need to remove any files after running that acmcli command. They will not be used by harmattan system.

The Following User Says Thank You to rainisto For This Useful Post:
misiak

casketizer | # 7 | 2013-01-06, 03:43 | Report

Is it a coincidence this cert is the first in the Certmanager list?

Can certs be revoked manually on N900?

Attached Images

nbedford | # 8 | 2013-01-06, 12:53 | Report

Is opensh needed? or is open mode + devel-su + develsh enough?

peterleinchen | # 9 | 2013-01-06, 14:00 | Report

Originally Posted by casketizer View Post

Is it a coincidence this cert is the first in the Certmanager list?

No, it is due to the cert name begins with "(".
You may check with

Code:

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"

Originally Posted by casketizer View Post

Can certs be revoked manually on N900?

Yes, there is such possibility. I will put a script (produced at DigiNotar times) at the end of post.

Originally Posted by rainisto View Post

if you want the 'proper' way to remove it, then the right command would be:
opensh -c "acmcli -C aegis-certman-common-ca::CertCACommonAdd -lc common-ca -r d937b34e05fdd9cf9f1216aeb6892feb253a881c"

For N900 users, please refer to below script.
For N9 users, do we need to delete that CA also from browser? (but according to open mentioned bug, there is no such possibility?)

Simple script/guide to remove fraudulent CAs:

Code:

#!/bin/sh
#removing fraudulent CAs

echo enter the cert\(ifier\) You are looking for:
read cert
cmcli -T common-ca -L | grep "$cert"

echo now copy the full cert ID ...
read nothing

echo and give it as input \(for removal\)
read certID

if [ `id -u` != 0 ] ; then
    sudo cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    sudo cmcli -c common-ca -r $certID
else
    cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    cmcli -c common-ca -r $certID
fi

echo now open microb and goto
echo chrome://pippki/content/certManager.xul 
echo and delete the cert also there in the CA manager
read nothing

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"

--edit
BUT, one more question arises here:
I do see two certificate IDs for TÜRKTRUST

Originally Posted by

~ $ cmcli -T common-ca -L | grep "TÜRK"
c126ef0d847fc578cabfa616229289c42af952e7 TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı
d937b34e05fdd9cf9f1216aeb6892feb253a881c TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı

and also in browsers

Originally Posted by

chrome://pippki/content/certManager.xul

they do appear twice.
So maybe for harmattan users, you also check bettwer twice?

I have no idea, why we do have them twice. Or if we need to block/delete both. Or if only one is fraudulent ...

Last edited by peterleinchen; 2013-01-06 at 15:25.

The Following 3 Users Say Thank You to peterleinchen For This Useful Post:
casketizer, don_falcone, Sourav.dubey

Aranel | # 10 | 2013-01-06, 15:19 | Report

https://blog.mozilla.org/security/20...t-certficates/

According to this page Mozilla is revoking both certificates, so there's no reason why we should not.

The Following User Says Thank You to Aranel For This Useful Post:
peterleinchen