dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
2016
share rss forum feed


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

Mozilla: Revoking Trust in Two TurkTrust Certificates

Mozilla Security Blog - Revoking Trust in Two TurkTrust Certificates
January 3, 2012

quote:
Update: For clarification, the last sentence of this post references our actions to suspend inclusion of a TURKTRUST root certificate. There are currently two TURKTRUST root certificates included in Mozilla’s CA Certificate program. TURKTRUST had requested that a newer root certificate be included, and their request had been approved and was in Firefox 18 beta. However, due to the mis-issued intermediate certificates, we decided to suspend inclusion of their new root certificate for now.

Issue
TURKTRUST, a certificate authority in Mozilla’s root program, mis-issued two intermediate certificates to customers. TURKTRUST has scanned their certificate database and log files and confirmed that the mistake was made for only two certificates.

This is not a Firefox-specific issue. Nevertheless, we are concerned that at least one of the mis-issued intermediate certificates was used for man-in-the-middle (MITM) traffic management of domain names that the customer did not legitimately own or control. We are also concerned that the private keys for these certificates were not kept as secure as would be expected for intermediate certificates.

Impact
An intermediate certificate that is used for MITM allows the holder of the certificate to decrypt and monitor communication within their network between the user and any website. Additionally, If the private key to one of the mis-issued intermediate certificates was compromised, then an attacker could use it to create SSL certificates containing domain names or IP addresses that the certificate holder does not legitimately own or control. An attacker armed with a fraudulent SSL certificate and an ability to control their victim’s network could impersonate websites in a way that would be undetectable to most users. Such certificates could deceive users into trusting websites appearing to originate from the domain owners, but actually containing malicious content or software.

Status
Mozilla is actively revoking trust for the two mis-issued certificates which will be released to all supported versions of Firefox in the next update on Tuesday 8th January.

We have also suspended inclusion of the “TÜRKTRUST Bilgi letiim ve Biliim Güvenlii Hizmetleri A.. (c) Aralk 2007” root certificate, pending further review.

Additional action regarding this CA will be discussed in the mozilla.dev.security.policy forum.

Credit
This issue was initially reported to us by Google, Inc.

Michael Coates
Director of Security Assurance



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit

FYI Microsoft has already revoked the certificates.

»Microsoft untrusted certificate store update (Dec 31st)

»Microsoft Security Advisory Notification - Dec. 31, 2012

»Microsoft Security Advisory Notification - Jan 3, 2013
--
Don't feed trolls--it only makes them grow!



Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS
reply to chachazz

Click for full size
What do I do? Delete it?


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit

1 recommendation

Or distrust them (there are two).


chachazz
Premium
join:2003-12-14
kudos:9

Fatal error leads TURKTRUST to issue dangerous SSL certificates ...A good article at Heise Security



Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

said by chachazz:

Fatal error leads TURKTRUST to issue dangerous SSL certificates ...A good article at Heise Security

link dont work


JALevinworth

@embarqhsd.net

said by Cartel:

said by chachazz:

Fatal error leads TURKTRUST to issue dangerous SSL certificates ...A good article at Heise Security

link dont work

I googled Heise Security to find it here:
»www.h-online.com/security/news/i···291.html

This article was interesting too:
»krebsonsecurity.com/2013/01/turk···re-18224

Libra
Premium
join:2003-08-06
USA
kudos:1
Reviews:
·Verizon FiOS
reply to chachazz

I found this in my Event Viewer:

Successful auto update of disallowed certificate list with effective date: Monday, December 31, 2012 3:50:01 PM.

BUT, when I look in the Certificates in Pale Moon I see the two TurkTrust certificates listed there (I edited them by unchecking the three boxes). When I looked in IE, I see FIVE TurkTrust certificates (two Electronic Sertificat Hizmet and three Electronic Islena Hiza..)

Is the fact that they are listed, saying they are good cerificates, not important since they are disallowed? Is that something we don't visually see?

Thank you.

Sincerely, Libra



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by Libra:

Is the fact that they are listed, saying they are good cerificates, not important since they are disallowed?

First off I'd forgotten about this so I just checked in FF 18.0 to ensure nothing had changed. It hadn't.

The certificates are listed because they're "built-in". You can't "delete" them. Unticking the 3 boxes means they're distrusted which effectively has the same result--that is you'll get a warning pop-up for any site trying to use a certificate issued by TurkTrust.
--
Don't feed trolls--it only makes them grow!


chachazz
Premium
join:2003-12-14
kudos:9

Mozilla Foundation Security Advisory 2013-20
»www.mozilla.org/security/announc···-20.html



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

1 edit
reply to chachazz

Interesting... I just checked in my Opera 11.52 cert listing, and both:
*.EGO.GOV.TR
e-islem.kktcmerkezbankasi.org
are now listed as rejected certs. These are the two subsidiary CA's incorrectly created by TURKTRUST, at least one of which (*.EGO.GOV.TR) was used to issue a fraudulent cert to *.google.com - which triggered this whole business. Apparently, Opera must have pushed out a background update of the cert stores to reject the two certs, even for old Opera versions like mine. I only know I never performed such an update manually...

Edit: I just opened my Opera 10.63 version (which hasn't been activated for at least 6 months) and, following a brief period of visible network traffic indications whilst my local home page was in process of appearing, the cert stores on that version also now show both the above rejections. So Opera is indeed automatically pushing out these cert updates for all their browsers for this problem.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville



La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3
reply to chachazz

I can't do anything with the first one in the list. Can't view, edit or delete/distrust, the buttons don't work. The second one I edited and unchecked the boxes. Should I assume the first one is disabled?




StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

You're clicking on the title. Click on the line underneath (indented text)

(I did the exact same thing the first time)
--
Don't feed trolls--it only makes them grow!



La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3

LOL!!! Duh!!!!! It all looks like jibberish to me!!

Ok, I got that one edited. So that's all I have to do, right?



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

As long as you got both TurkTrust certs. The first is at the top as in the screen captures. The second is down in the T's.
--
Don't feed trolls--it only makes them grow!



La Luna
RIP Lisa
Premium
join:2001-07-12
Warwick, NY
kudos:3

Ok, thanks, got them both now.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

Well you're good to go--until the next cert authority gets hacked etc
--
Don't feed trolls--it only makes them grow!



Steve
I know your IP address
Consultant
join:2001-03-10
Foothill Ranch, CA
kudos:5
reply to chachazz

Who here is amused that Microsoft addressed this before Mozilla?



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Actually I find it more amusing that Microsoft had some of their certificates faked/stolen

»Microsoft kills code-signing certs stop Flame-like attacks
--
Don't feed trolls--it only makes them grow!



chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS

quote:
Thursday, January 03, 2013
Notes on the TURKTRUST fiasco
Posted by Robert David Graham

Yet again a Certificate Authority failed, allowing a hacker or government to spy on SSL connections. I thought I'd write up some notes. I'll likely update this post over the next couple days as more info becomes available.

The most important thing to remember is there is no evidence of maliciousness. The CA fail appears to have been accidental. More importantly, the MitM may also have been accidental. This incident will be used by those beating the "state sponsored hacking" drum, so I thought I'd point out that as of today (Jan 3 2013) no evidence exists to support that conclusion.
This is worth reading.
There is a link in the article to the mozilla mail list with an explanatory post apparently made by TurkTrust.
»erratasec.blogspot.de/2013/01/no···sco.html

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable
reply to chachazz

i mentioned this in the mozilla sub-forum..after installing FF 18, i don't see that the certificates in question were added to the list of other untrusted certificates, under "servers", so, as far as i can tell, to me, it looks like mozilla failed to "revoke trust" for the certificates that were suppose to have their trust revoked..

like others, i had to manually disable trust for the two "turktrust" certficates that are included in the list of valid certficates, under "authorities"..



Cartel
Premium
join:2006-09-13
Chilliwack, BC
kudos:2
Reviews:
·TekSavvy DSL
·Shaw
·TELUS

Click for full size
Click for full size
Click for full size
said by redwolfe_98:

i mentioned this in the mozilla sub-forum..after installing FF 18, i don't see that the certificates in question were added to the list of other untrusted certificates, under "servers", so, as far as i can tell, to me, it looks like mozilla failed to "revoke trust" for the certificates that were suppose to have their trust revoked..

like others, i had to manually disable trust for the two "turktrust" certficates that are included in the list of valid certficates, under "authorities"..

I deleted the certs altogeter.
After updating to ff18, they are back but with no check boxes.
Guess I'll delete them again.

The certs listed in the "servers" column all say "do not trust".
Is that normal?


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

said by Cartel:

... The certs listed in the "servers" column all say "do not trust".
Is that normal?

Could it be that those certs are all actually set to "trust", but the prompted default trust option (if you select "edit") will always be the opposite of what the cert currently is on the assumption you will be wanting to edit or change it?
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

Libra
Premium
join:2003-08-06
USA
kudos:1
Reviews:
·Verizon FiOS
reply to StuartMW

Thank you stuartMW for explaining that since they are built in I should untick them. (I also had the problem of highlighting the title.)

Am I suppose to be doing anything about the two different certificates I found in IE? I imagine everyone has them.

Sincerely, Libra



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Microsoft has a patch for the IE ones. You should get them via Windows Update.

»Microsoft untrusted certificate store update (Dec 31st)
--
Don't feed trolls--it only makes them grow!


Libra
Premium
join:2003-08-06
USA
kudos:1

Thank you. I'll keep my eye out for it - that might be the one listed in the Event Viewer!

Sincerely, Libra



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2



Well if you have the update installed you'll see that the two certs are untrusted.
--
Don't feed trolls--it only makes them grow!


Khaine

join:2003-03-03
Australia
reply to chachazz

SSL certificates are clearly a market failure. The Government should step in and start regulating this industry, by enforcing clear security requirements for any organisation who issues certificates.

The Australian Government has a framework for it's own Department's who issue certs, with annual certification requirements. Something similar should be extended for commercial entities.


Libra
Premium
join:2003-08-06
USA
kudos:1
Reviews:
·Verizon FiOS
reply to StuartMW


Untrusted publishers

continued

I don't see Turktrust listed anywhere?
I don't understand this. I have the roots certificate in Event Viewer:

Log Name: Application
Source: Microsoft-Windows-CAPI2
Date: 1/9/2013 12:20:20 PM
Event ID: 16
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: -PC
Description:
Successful auto update of disallowed certificate list with effective date:: Monday, December 31, 2012 6:50:01 PM;.
Event Xml:

16
0
4
0
0
0x80000000000000

21788

Application
MyVista-PC

Monday, December 31, 2012 6:50:01 PM

This is the Certificates Untrusted Publishers of IE:

Could Defense Wall prevent this certificate operation?

Sincerely, Libra

P.S. Thank you for the screenshot.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit

Not sure what the issue is. Are the certs under one of the "trusted" tabs?

If they're not anywhere at all then by default they'll be untrusted.
--
Don't feed trolls--it only makes them grow!