Hi all,

there was another incident with a CA. See
http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
for more details. If you like to distrust this issuer you'll find a
howto for Firefox at
http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert

For other apps that use our ca-certificates package (by Debian) You can
easily disable the root cert by issuing the following commands as root:

sed -E 's#^(mozilla/DigiNotar_Root_CA.crt)$#!1#g' -i
/etc/ca-certificates.conf
update-ca-certificates

This information is just for those who are curious. There is most
likely no need to panic for those people; especially if you don't live
in Iran. And if you do its probably too late as the issuer was
compromised two month ago. And I thought the Comodo incident was already
pure night mare...

The whole CA structure we base our SSL security on is a mess imho.
Blindly shipping a bunch of certificates to our users does not seem to
be the best idea any more. Unfortunately there is no real alternative
atm.

Greetings,

Pierre

--
Pierre Schmitz, https://users.archlinux.de/~pierre

On Tue, 2011-08-30 at 22:24 +0200, Pierre Schmitz wrote:
> Hi all,
>
> there was another incident with a CA. See
> http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
> for more details. If you like to distrust this issuer you'll find a
> howto for Firefox at
> http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert
>
> For other apps that use our ca-certificates package (by Debian) You can
> easily disable the root cert by issuing the following commands as root:
>
> sed -E 's#^(mozilla/DigiNotar_Root_CA.crt)$#!1#g' -i
> /etc/ca-certificates.conf
> update-ca-certificates
>
> This information is just for those who are curious. There is most
> likely no need to panic for those people; especially if you don't live
> in Iran. And if you do its probably too late as the issuer was
> compromised two month ago. And I thought the Comodo incident was already
> pure night mare...
>
> The whole CA structure we base our SSL security on is a mess imho.
> Blindly shipping a bunch of certificates to our users does not seem to
> be the best idea any more. Unfortunately there is no real alternative
> atm.

The whole SSL system is based on trust. We have to trust the CA roots,
and those CA roots have to trust their clients. That way, we trust the
clients they trust.
So far, not much is wrong with that system, but when it turns out the CA
root can't be trusted, that CA root should get kicked out. You can't
tell the difference between a valid certificate issued by the CA root,
or an invalid certificate issued by a hacker using his key.

I already removed DigiNotar from nss. Ionut updated Firefox to 6.0.1,
which distrusts all certificates that are issued by DigiNotar, with the
exception of those that originate from the PKIOverheid CA.

We should remove DigiNotar from our ca-certificates package. A CA that
doesn't care about security, doesn't inform us about hacks and doesn't
even know what systems were affected should not be trusted.

Looking at debian, they already blacklisted DigiNotar:
http://packages.qa.debian.org/c/ca-certificates/news/20110831T024756Z.html
We should do the same.

On Tue, 30 Aug 2011 22:24:33 +0200, Pierre Schmitz wrote:
> Hi all,
>
> there was another incident with a CA. See
> http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
> for more details. If you like to distrust this issuer you'll find a
> howto for Firefox at
> http://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert
>
> For other apps that use our ca-certificates package (by Debian) You can
> easily disable the root cert by issuing the following commands as root:

As a follow up I'd recommend to also remove the root certificates of
"Staat der Nederlanden". The problem is that they had used DigiNotar as
intermediate CA. There are specific updates for Firefox and Chromium but
other browsers are still affected. You can check if these certs are
still accepted by your browserb by visiting sites such as
https://secure.valkenswaard.nl/. Make sure they still use the DigiNotar
intermediate cert. ATM I don't know of any other workaround as remove
the roots certs completely.

To do so run:
sed -E 's#^(mozilla/Staat_der_Nederlanden_Root_CA.*)$#!1#g'
-i /etc/ca-certificates.conf
update-ca-certificates

Here are some links including more details. For now it seems Debian
wont remove these root certs. Unfortunately this would mean that every
client needs to be updated; which is also unlikely to happen. A brief
look at what Mozilla does*) should show that this system is pretty much
broken.

http://blog.mozilla.com/security/2011/09/02/diginotar-removal-follow-up/
https://bugzilla.mozilla.org/show_bug.cgi?id=683449
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=640567

*)
http://hg.mozilla.org/releases/mozilla-release/file/e65f4c8bd243/security/manager/ssl/src/nsNSSCallbacks.cpp

Greetings,

Pierre

--
Pierre Schmitz, https://users.archlinux.de/~pierre

On Wed, Sep 7, 2011 at 4:55 AM, Pierre Schmitz <pierre@archlinux.de> wrote:
> For now it seems Debian
> wont remove these root certs. Unfortunately this would mean that every
> client needs to be updated; which is also unlikely to happen.

However, why can't we remove it?

-Dan

On Wed, 2011-09-07 at 11:55 +0200, Pierre Schmitz wrote:

> As a follow up I'd recommend to also remove the root certificates of
> "Staat der Nederlanden". The problem is that they had used DigiNotar as
> intermediate CA. There are specific updates for Firefox and Chromium but
> other browsers are still affected. You can check if these certs are
> still accepted by your browserb by visiting sites such as
> https://secure.valkenswaard.nl/. Make sure they still use the DigiNotar
> intermediate cert. ATM I don't know of any other workaround as remove
> the roots certs completely.
>

What is this advise based on? You're getting it wrong. "Staat der
Nederlanden CA" is a root CA, they haven't been compromised. Certificate
chain is as following:

Staat der Nederlanden CA -> DigiNotar -> fraud cert

If you remove DigiNotar from ca-certificates, you'll get this:

Staat der Nederlanden CA -> missing cert -> fraud cert

Every sane client application will complain about the missing cert.
Probably it won't even know about the Staat der Nederlanden CA, as you
can't resolve to it directly without having the DigiNotar certificate.

The thing where Mozilla is talking about is their special exception that
has been removed. In Firefox 6.0.1, if you had a certificate signed by
DigiNotar that resolved to the Staat der Nederlanden CA, it would accept
this certificate as valid. This exception has been removed in 6.0.2.

On Wed, 07 Sep 2011 14:35:21 +0200, Jan de Groot wrote:
> On Wed, 2011-09-07 at 11:55 +0200, Pierre Schmitz wrote:
>
>> As a follow up I'd recommend to also remove the root certificates of
>> "Staat der Nederlanden". The problem is that they had used DigiNotar as
>> intermediate CA. There are specific updates for Firefox and Chromium but
>> other browsers are still affected. You can check if these certs are
>> still accepted by your browserb by visiting sites such as
>> https://secure.valkenswaard.nl/. Make sure they still use the DigiNotar
>> intermediate cert. ATM I don't know of any other workaround as remove
>> the roots certs completely.
>>
>
> What is this advise based on? You're getting it wrong. "Staat der
> Nederlanden CA" is a root CA, they haven't been compromised. Certificate
> chain is as following:
>
> Staat der Nederlanden CA -> DigiNotar -> fraud cert
>
> If you remove DigiNotar from ca-certificates, you'll get this:
>
> Staat der Nederlanden CA -> missing cert -> fraud cert

Doesn't the server also send the intermediate certs if needed? Or am I
mixing things?

> Every sane client application will complain about the missing cert.
> Probably it won't even know about the Staat der Nederlanden CA, as you
> can't resolve to it directly without having the DigiNotar certificate.

I did a brief test with curl and webkit browsers such as rekonq. They
accept the certificates from the site mentioned above unless I disable
"Staat der Nederlanden CA". Afaik Firefox does an explicit check if
there is a diginotar cert within the chain; other browsers and clients
most likely don't. So I still think its the easiest for most people to
disable those certs as well.

But yes, I am not absolutely sure as the information you can found in
the media atm is not that accurate. E.g. heise states that Microsoft
will remove the Nederlands root cert completely.

--
Pierre Schmitz, https://users.archlinux.de/~pierre

Wed Sep 7 17:30:01 2011
Return-path: <bounce-debian-devel=tom=linux-archive.org@lists.debian.org>
Envelope-to: tom@linux-archive.org
Delivery-date: Wed, 07 Sep 2011 17:02:43 +0300
Received: from liszt.debian.org ([82.195.75.100]:36749)
by s2.java-tips.org with esmtps (TLSv1:AES256-SHA:256)
(Exim 4.69)
(envelope-from <bounce-debian-devel=tom=linux-archive.org@lists.debian.org>)
id 1R1IiB-0007o9-FS
for tom@linux-archive.org; Wed, 07 Sep 2011 17:02:43 +0300
Received: from localhost (localhost [127.0.0.1])
by liszt.debian.org (Postfix) with QMQP
id CCDD513A5DA8; Wed, 7 Sep 2011 14:09:21 +0000 (UTC)
Old-Return-Path: <debbugs@busoni.debian.org>
X-Original-To: lists-debian-devel@liszt.debian.org
Delivered-To: lists-debian-devel@liszt.debian.org
Received: from localhost (localhost [127.0.0.1])
by liszt.debian.org (Postfix) with ESMTP id 9F69D13A5C00
for <lists-debian-devel@liszt.debian.org>; Wed, 7 Sep 2011 14:09:21 +0000 (UTC)
X-Virus-Scanned: at lists.debian.org with policy bank en-ht
X-Spam-Flag: NO
X-Spam-Score: -10.258
X-Spam-Level:
X-Spam-Status: No, score=-10.258 tagged_above=-10000 required=5.3
tests=[BAYES_00=-2, FOURLA=0.1, LDO_WHITELIST=-5,
RCVD_IN_DNSWL_MED=-4, SARE_XMAIL_LCDD=0.642] autolearn=ham
Received: from liszt.debian.org ([127.0.0.1])
by localhost (lists.debian.org [127.0.0.1]) (amavisd-new, port 2525)
with ESMTP id s6Uw761gUpzU for <lists-debian-devel@liszt.debian.org>;
Wed, 7 Sep 2011 14:09:10 +0000 (UTC)
Received: from busoni.debian.org (busoni.debian.org [140.211.15.34])
(using TLSv1 with cipher AES256-SHA (256/256 bits))
(Client did not present a certificate)
by liszt.debian.org (Postfix) with ESMTPS id 9D30513A533D;
Wed, 7 Sep 2011 14:09:10 +0000 (UTC)
Received: from debbugs by busoni.debian.org with local (Exim 4.72)
(envelope-from <debbugs@busoni.debian.org>)
id 1R1IoL-0005cb-5t; Wed, 07 Sep 2011 14:09:05 +0000
X-Loop: owner@bugs.debian.org
Subject: Bug#640798: O: gpscorrelate -- correlates digital photos with GPS data filling EXIF fields (command line)
Reply-To: =?UTF-8?Q?=D0=84=D0=B2=D0=B3=D0=B5=D0=BD=D1=96=D0=B9_?= =?UTF-8?Q?=D0=9C=D0=B5=D1=89=D0=B5=D1=80=D1=8F=D0=BA=D0= BE=D0=B2?= <eugen@debian.org>, 640798@bugs.debian.org
Resent-From: =?UTF-8?Q?=D0=84=D0=B2=D0=B3=D0=B5=D0=BD=D1=96=D0=B9_?= =?UTF-8?Q?=D0=9C=D0=B5=D1=89=D0=B5=D1=80=D1=8F=D0=BA=D0= BE=D0=B2?= <eugen@debian.org>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-CC: debian-devel@lists.debian.org, wnpp@debian.org
X-Loop: owner@bugs.debian.org
Resent-Date: Wed, 07 Sep 2011 14:09:01 +0000
Resent-Message-ID: <handler.640798.B.131540448121494@bugs.debian.or g>
X-Debian-PR-Message: report 640798
X-Debian-PR-Package: wnpp
X-Debian-PR-Keywords:
Received: via spool by submit@bugs.debian.org id=B.131540448121494
(code B ref -1); Wed, 07 Sep 2011 14:09:01 +0000
Received: (at submit) by bugs.debian.org; 7 Sep 2011 14:08:01 +0000
X-Spam-Bayes: score:0.0000 Tokens: new, 14; hammy, 137; neutral, 59; spammy,
1. spammytokens:0.997-1--Exchangeable hammytokens:0.000-+--H*M:reportbug,
0.000-+--H*MI:reportbug, 0.000-+--H*x:reportbug, 0.000-+--H*UA:reportbug,
0.000-+--HX-Debbugs-Cc:sk:debian-
Received: from smtp2.tu-cottbus.de ([141.43.99.248])
by busoni.debian.org with esmtps (TLS1.0HE_RSA_AES_256_CBC_SHA1:32)
(Exim 4.72)
(envelope-from <meshciev@tu-cottbus.de>)
id 1R1InI-0005a9-D4
for submit@bugs.debian.org; Wed, 07 Sep 2011 14:08:00 +0000
Received: from localhost (localhost [127.0.0.1])
by smtp2.tu-cottbus.de (Postfix) with ESMTP id 1ED20690139;
Wed, 7 Sep 2011 16:07:51 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tu-cottbus.de; h=
date:date:x-mailer:message-id:subject:subject:from:from
:content-transfer-encoding:mime-version:content-type
:content-type:received:received; s=smtp2009; t=1315404464; x=
1316268464; bh=IR8NdqpU+TM4X8PLPrg4TT925KRjLnLRKZ/KJoUt5b8=; b=z
BEj3X8HXYKycu0tyDwPJtmLsC5H+DWP58Sw+ESOX5wQT2W6lf0 6aWJdrCtd08B8K
iB3lu+wrox5WusKVE5jJoueuI7fDMZTYYGhopFQQbozN83ARae C+H7J1OZLumZJk
DWVaeIrOEDCM0w8yznzSCSJhgttYQNY9dTV3ybDRBc=
X-Virus-Scanned: by AMaViS (at smtp2.tu-cottbus.de)
Received: from loki (cd1.cd.tu-cottbus.de [141.43.159.77])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client did not present a certificate)
(Authenticated sender: meshciev)
by smtp2.tu-cottbus.de (Postfix) with ESMTPSA id 59BE4690142;
Wed, 7 Sep 2011 16:07:43 +0200 (CEST)
Received: by loki (Postfix, from userid 1000)
id EA16B9A74; Wed, 7 Sep 2011 16:07:43 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: =?UTF-8?Q?=D0=84=D0=B2=D0=B3=D0=B5=D0=BD=D1=96=D0=B9_?= =?UTF-8?Q?=D0=9C=D0=B5=D1=89=D0=B5=D1=80=D1=8F=D0=BA=D0= BE=D0=B2?=
<eugen@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Message-ID: <20110907140743.4512.54797.reportbug@localhost>
X-Mailer: reportbug 6.2
Date: Wed, 07 Sep 2011 16:07:43 +0200
Delivered-To: submit@bugs.debian.org
X-Rc-Virus: 2007-09-13_01
X-Mailing-List: <debian-devel@lists.debian.org> archive/latest/275363
X-Loop: debian-devel@lists.debian.org
List-Id: <debian-devel.lists.debian.org>
List-Post: <mailto:debian-devel@lists.debian.org>
List-Help: <mailto:debian-devel-request@lists.debian.org?subject=help>
List-Subscribe: <mailto:debian-devel-request@lists.debian.org?subject=subscribe>
List-Unsubscribe: <mailto:debian-devel-request@lists.debian.org?subject=unsubscribe>
Precedence: list
Resent-Sender: debian-devel-request@lists.debian.org

Package: wnpp
Severity: normal

I intend to orphan the gpscorrelate package. I'm not using it anymore.
There were no new releases for some time and the author was interested
in a new maintainer. The package is mostly bug-free, there but are some
reports about crashes.

The package description is:
gpscorrelate fills EXIF (Exchangeable Image File Format) fields of
digital photos related to GPS (Global Positioning System) information
(e.g.: GPSLatitude, GPSLongitude, GPSAltitude, ...). The act of filling
those fields is referred to as "correlation".
.
Inputs of the correlation process are a set of JPEG images and GPS data
encoded in GPX (GPS Exchange Format) format.
.
If GPS data are available at the precise moment the photo was taken
(with a 1-second granularity) the GPS data are stored unmodified in
EXIF fields. If they are not linear interpolation of GPS data
available at moments before and after the photo was taken can be used.
.
Both a command line tool (package gpscorrelate) and a GTK+ graphical
user interface for it (package gpscorrelate-gui) are provided.
.
This package contains the command line tool and the documentation in HTML
format.



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: http://lists.debian.org/20110907140743.4512.54797.reportbug@localhost

On Wed, 2011-09-07 at 16:07 +0200, Pierre Schmitz wrote:
> I did a brief test with curl and webkit browsers such as rekonq. They
> accept the certificates from the site mentioned above unless I disable
> "Staat der Nederlanden CA". Afaik Firefox does an explicit check if
> there is a diginotar cert within the chain; other browsers and clients
> most likely don't. So I still think its the easiest for most people to
> disable those certs as well.

I tried epiphany, that browser doesn't even give a warning when a cert
is invalid. One week ago the cert for GNOME bugzilla was expired,
Firefox couldn't add an exception, making it unable to visit
bugs.gnome.org, but epiphany just shows the website without any warning.
When I check a DigiNotar signed website, Epiphany shows a broken lock in
the address bar, so though it's SSL, it says the security is broken.

> But yes, I am not absolutely sure as the information you can found in
> the media atm is not that accurate. E.g. heise states that Microsoft
> will remove the Nederlands root cert completely.

Heise is wrong IMHO. When the DigiNotar hack was made public, all
browser companies issued updates. Both Microsoft and Mozilla added
checks to their browsers to see if a cert originates from "Staat der
Nederlanden CA" so the cert would get accepted as valid. Now that Fox IT
uncovered a report about the security at DigiNotar and that not any cert
ever issued by this company should be trusted, Mozilla and Microsoft
decided to remove that exception and just disable all DigiNotar
certificates.
I pulled in this update through Windows Update this morning, I had to
reboot for it (Windows XP). On Windows XP you don't have to reboot for a
base certificate update, so this is an update that touches code instead
of some certificate store.

On 09/07/2011 08:02 PM, Jan de Groot wrote:

On Wed, 2011-09-07 at 16:07 +0200, Pierre Schmitz wrote:

I did a brief test with curl and webkit browsers such as rekonq. They
accept the certificates from the site mentioned above unless I disable
"Staat der Nederlanden CA". Afaik Firefox does an explicit check if
there is a diginotar cert within the chain; other browsers and clients
most likely don't. So I still think its the easiest for most people to
disable those certs as well.


I tried epiphany, that browser doesn't even give a warning when a cert
is invalid. One week ago the cert for GNOME bugzilla was expired,
Firefox couldn't add an exception, making it unable to visit
bugs.gnome.org, but epiphany just shows the website without any warning.
When I check a DigiNotar signed website, Epiphany shows a broken lock in
the address bar, so though it's SSL, it says the security is broken.



epiphany is kinda broken. it does say for all websites that the security
is broken. I wonder if we are missing something...


https://bugzilla.gnome.org/show_bug.cgi?id=611496


But yes, I am not absolutely sure as the information you can found in
the media atm is not that accurate. E.g. heise states that Microsoft
will remove the Nederlands root cert completely.


Heise is wrong IMHO. When the DigiNotar hack was made public, all
browser companies issued updates. Both Microsoft and Mozilla added
checks to their browsers to see if a cert originates from "Staat der
Nederlanden CA" so the cert would get accepted as valid. Now that Fox IT
uncovered a report about the security at DigiNotar and that not any cert
ever issued by this company should be trusted, Mozilla and Microsoft
decided to remove that exception and just disable all DigiNotar
certificates.
I pulled in this update through Windows Update this morning, I had to
reboot for it (Windows XP). On Windows XP you don't have to reboot for a
base certificate update, so this is an update that touches code instead
of some certificate store.




--
IonuÈ›