[SOLVED]Security: Fraudulent *.google.com Certificate - maemo.org

PMaff · #1 2011-08-30, 14:14

"Issue

Mozilla was informed today about the issuance of at least one fraudulent SSL certificate for public websites belonging to Google, Inc. This is not a Firefox-specific issue, and the certificate has now been revoked by its issuer, DigiNotar. This should protect most users.
..."
http://blog.mozilla.com/security/201...m-certificate/

and
http://www.h-online.com/open/news/it...s-1333088.html

Can we switch that off for our browsers (MicroB,Fennec, Opera)?
See also
http://support.mozilla.com/en-US/kb/...inotar-ca-cert
Certificate Manager (in Settings) only allows to import a certificate.
How do I delete one?

freemangordon · #2 2011-08-30, 14:26

Open a bug, seriously, there is a chance Nokia to react

jd4200 · #3 2011-08-30, 14:56

I manually deleted diginotars certificate on my laptop (as per mozilla's instructions), and then copied the cert8.db file from within the firefox directory to the phone.

Going to https://www.diginotar.com/ presented me with an invalid certificate, so it's working.

Edit: You could also use certutil to remove just the one certificate, you'll have to copy your cert8.db over to a computer that can run the certutil program, and the copy the database back over.

NIN101 · #4 2011-08-30, 15:07

This is very important. And it seems there is no way to manage certificates on maemo, which is a shame. So yeah, as jd4200 said, simply delete the certificate on your computer, then copy the cert8.db to /home/user/.mozilla/microb/. Not sure how microb makes usage of OCSP.
Edit: better this http://talk.maemo.org/showpost.php?p...7&postcount=12 and http://talk.maemo.org/showpost.php?p...86&postcount=7

Anyway, it's an OS from October 2010. I bet there much much more security issues, probably even remote :-).

PMaff · #5 2011-08-30, 15:12

Quote:

Originally Posted by jd4200

I manually deleted diginotars certificate on my laptop (as per mozilla's instructions), and then copied the cert8.db file from within the firefox directory to the phone.

Going to https://www.diginotar.com/ presented me with an invalid certificate, so it's working.

Edit: You could also use certutil to remove just the one certificate, you'll have to copy your cert8.db over to a computer that can run the certutil program, and the copy the database back over.

I am not sure if cert8.db from another machine contains all the necessary certificates for N900.
It think this only helps for Fennec.

Anyway: I contacted a security email address at Nokia, let's see, if they answer.

NIN101 · #6 2011-08-30, 15:18

Quote:

I am not sure if cert8.db from another machine contains all the necessary certificates for N900.

These are just certs for microb. I don't see any problem here.

Anyway, OCSP in microb:
security.OCSP.enabled=1
security.OCSP.require=false

Which means AFAIK: "Contact an OCSP server if the certificate has one listed. If not, then do not. " "Also, if the connection to the OCSP server fails, do not think it is invalid/revoked."

But I would not rely on OCSP anyway. However, some people might want to change this.

Rob1n · #7 2011-08-31, 08:01

Quote:

Originally Posted by NIN101

This is very important. And it seems there is no way to manage certificates on maemo, which is a shame.

For microb, just point your browser to chrome://pippki/content/certManager.xul (I've set up a bookmark for this) to get access to the certificate management interface.

vinc17 · #8 2011-08-31, 11:50

Quote:

Originally Posted by Rob1n

For microb, just point your browser to chrome://pippki/content/certManager.xul (I've set up a bookmark for this) to get access to the certificate management interface.

After trying to remove the DigiNotar root CA certificate with this, https no longer works at all! I just get a blank window for any https URL I try. It seems that the browser still tries to connect...

Rob1n · #9 2011-08-31, 12:20

Quote:

Originally Posted by vinc17

After trying to remove the DigiNotar root CA certificate with this, https no longer works at all! I just get a blank window for any https URL I try. It seems that the browser still tries to connect...

No idea how that's happened - it won't actually let you remove the certificate anyway (it appears to work, but re-opening the certificate manager shows it back again).

vinc17 · #10 2011-08-31, 12:42

Quote:

Originally Posted by Rob1n

No idea how that's happened - it won't actually let you remove the certificate anyway (it appears to work, but re-opening the certificate manager shows it back again).

Yes, I noticed that. That's why I removed the certificate 8868bfe08e35c43b386b62f7283b8481c80cd74d.pem manually from /etc/certs/common-ca and the corresponding symlink (c0cafbd2.0).

Actually the browser (the backend) crashes (the coredump has been uploaded by the crash reporter). This explains why the UI remains in the same state.

The Following 3 Users Say Thank You to freemangordon For This Useful Post:
Estel, fw190, PMaff

The Following 3 Users Say Thank You to PMaff For This Useful Post:
Estel, freemangordon, reinob

The Following 3 Users Say Thank You to NIN101 For This Useful Post:
Estel, joerg_rw, reinob

The Following 11 Users Say Thank You to Rob1n For This Useful Post:
djdas, erendorn, Estel, freemangordon, ivyking, joerg_rw, lidow, lma, NIN101, reinob, vinc17