[SECURITY] Another compromised Certificate Authority - Page 2 - maemo.org

rainisto | # 11 | 2013-01-06, 15:42 | Report

Originally Posted by nbedford View Post

Is opensh needed? or is open mode + devel-su + develsh enough?

yes opensh is needed (or adriane sh), openmode+devel-su+develsh is not enough to get right capas.

But if your in open mode then you can just install opensh with (if you have downloaded the deb package to your device).

Harmattan openmode:
apt-get install wget
wget http://maemo.cloud-7.de/HARM/N9/open...nsh/opensh.deb
AEGIS_FIXED_ORIGIN=com.nokia.maemo dpkg -i opensh.deb

Last edited by rainisto; 2013-01-06 at 15:46.

The Following User Says Thank You to rainisto For This Useful Post:
nbedford

joerg_rw | # 12 | 2013-01-06, 17:39 | Report

Originally Posted by peterleinchen View Post

[...]
For N900 users, please refer to below script.
[...]

Simple script/guide to remove fraudulent CAs:

Code:

#!/bin/sh
#removing fraudulent CAs

echo enter the cert\(ifier\) You are looking for:
read cert
cmcli -T common-ca -L | grep "$cert"

echo now copy the full cert ID ...
read nothing

echo and give it as input \(for removal\)
read certID

if [ `id -u` != 0 ] ; then
    sudo cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    sudo cmcli -c common-ca -r $certID
else
    cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    cmcli -c common-ca -r $certID
fi

echo now open microb and goto
echo chrome://pippki/content/certManager.xul 
echo and delete the cert also there in the CA manager
read nothing

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"

sudo cp
and others won't work on sane default sudo setup, so you'll have to run this in a root account instead (install rootsh, do `root`)

Originally Posted by

I have no idea, why we do have them twice. Or if we need to block/delete both. Or if only one is fraudulent ...

According to the google report there were two certs fraudulent.

/j

Last edited by joerg_rw; 2013-01-06 at 17:43.

The Following 2 Users Say Thank You to joerg_rw For This Useful Post:
mr_pingu, peterleinchen

peterleinchen | # 13 | 2013-01-06, 18:16 | Report

Originally Posted by joerg_rw View Post

sudo cp
and others won't work on sane default sudo setup, so you'll have to run this in a root account instead (install rootsh, do `root`)
/j

Yep, sure. I made this in a rush to get rid of DigiNotar (and for future fraudulents) and did not test out. This would work probably with sudser installed (or manual inclusion of cp/busybox in sudoers

). So please refer to below corrected script (rootsh required).
But why would anybody try to run this as non-root?

Code:

#!/bin/sh

if [ `id -u` != 0 ] ; then
       exec sudo gainroot <<EOF
exec sh $0 $*
EOF
       exit $?
fi

#removing fraudulent CAs

echo enter the cert\(ifier\) You are looking for:
read cert
cmcli -T common-ca -L | grep "$cert"

echo now copy the full cert ID ...
read nothing

echo and give it as input \(for removal\)
read certID

    cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    cmcli -c common-ca -r $certID

echo now open microb and goto
echo chrome://pippki/content/certManager.xul 
echo and delete the cert also there in the CA manager
read nothing

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"

Originally Posted by joerg_rw View Post

According to the google report there were two certs fraudulent.
/j

After reading link provided by aranel, I was also pretty sure.
Thanks for correction/confirming.

Last edited by peterleinchen; 2013-01-06 at 18:20.

The Following 2 Users Say Thank You to peterleinchen For This Useful Post:
casketizer, joerg_rw

sixwheeledbeast | # 14 | 2013-01-19, 23:40 | Report

Should Turktrust still be shown as valid in Smaemo6?

Attached Images

pali | # 15 | 2013-01-20, 00:55 | Report

@sixwheeledbeast: This certificate applet had bug - it shown blacklisted certificates as valid. Bug was fixed in PR1.3.1 by this commit: https://gitorious.org/maemo-5-certif...4945c1dce4bf6e

So for blacklisting you *need* PR1.3.1

pali | # 16 | 2013-01-20, 00:57 | Report

Originally Posted by peterleinchen View Post

No, it is due to the cert name begins with "(".
You may check with

Code:

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"

Yes, there is such possibility. I will put a script (produced at DigiNotar times) at the end of post.

For N900 users, please refer to below script.
For N9 users, do we need to delete that CA also from browser? (but according to open mentioned bug, there is no such possibility?)

Simple script/guide to remove fraudulent CAs:

Code:

#!/bin/sh
#removing fraudulent CAs

echo enter the cert\(ifier\) You are looking for:
read cert
cmcli -T common-ca -L | grep "$cert"

echo now copy the full cert ID ...
read nothing

echo and give it as input \(for removal\)
read certID

if [ `id -u` != 0 ] ; then
    sudo cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    sudo cmcli -c common-ca -r $certID
else
    cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    cmcli -c common-ca -r $certID
fi

echo now open microb and goto
echo chrome://pippki/content/certManager.xul 
echo and delete the cert also there in the CA manager
read nothing

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"

--edit
BUT, one more question arises here:
I do see two certificate IDs for TÜRKTRUST

and also in browsers

they do appear twice.
So maybe for harmattan users, you also check bettwer twice?

I have no idea, why we do have them twice. Or if we need to block/delete both. Or if only one is fraudulent ...

After blacklisting is needed to re-run openssl c_rehash script (as root). Certman deb package doing it in postinst script: https://gitorious.org/community-ssu/...on-ca.postinst

Code:

$ perl /usr/bin/c_rehash /etc/certs/common-ca

The Following User Says Thank You to pali For This Useful Post:
misiak

freemangordon | # 17 | 2013-01-20, 01:06 | Report

Originally Posted by pali View Post

@sixwheeledbeast: This certificate applet had bug - it shown blacklisted certificates as valid. Bug was fixed in PR1.3.1 by this commit: https://gitorious.org/maemo-5-certif...4945c1dce4bf6e

So for blacklisting you *need* PR1.3.1

turktrust root cert was not blacklistet, only the two compromised intermediate certs. so this is not a bug but a feature

The Following 3 Users Say Thank You to freemangordon For This Useful Post:
Estel, misiak, sixwheeledbeast

bng | # 18 | 2014-09-01, 21:49 | Report

hi all, can anyone please some up, is N9 with PR1.3 vulnerable, or is it not?