Google might shun Dutch gov certificates from DigiNotar

Chrome update prepared to kill 2 certs


Updated In the wake of hundreds of fraudulent secure sockets layer certificates issued by DigiNotar, Google developers are preparing a version of the Chrome browser that rejects some web credentials sanctioned by the Dutch government's official certificate authority.

Source code posted Thursday afternoon California time on Google's own website would prevent Chrome from trusting any secure website signed by DigiNotar under an official program set up by the Dutch government. It was set up under the auspices of PKIoverheid, the official certificate authority of the Netherlands.

After this article was first published, Mozilla developers implemented a similar change that will cause users to receive a warning when they encounter PKIoverheid certificates signed by DigiNotar. It's unclear when the changes will take effect in Firefox, Thunderbird or SeaMonkey. Mozilla representatives didn't respond to an email request comment.

Shortly after Monday's discovery that DigiNotar had issued a fraudulent google.com certificate that was used to spy on people in Iran who accessed Gmail, Google, Mozilla, and Microsoft updated their software so it would no longer trust the Netherlands-based certificate authority. What Google and Mozilla, and possibly Microsoft as well, never said in their advisories was that their browsers and email applications would continue to trust two DigiNotar certificates that were linked to PKIoverheid.

All three software makers have ducked questions for three days, but a handful of web-based discussions show members of some of them arguing that the PKIoverheid-signed intermediate certificates can still be trusted. On Friday, around the same time this article was first published, Google issued its first on-the-record comment indicating the blocking of the DigiNotar-issued PKIoverheid certificates was under active discussion.

"We're currently evaluating a number of factors, and we want to be prepared to act if we need to," a spokesman wrote in an email. "Our top priority is to protect the privacy and security of our users. To be clear, in this instance we are considering a CA operated by DigiNotar, not the Staat de Nederlanden root CA. We encourage DigiNotar to provide a complete analysis of the situation."

It's unclear if or when Google intends to implement the planned changes. A few hours after the Chromium differential was posted publicly, access to it became restricted. A volunteer Chromium developer said the source code was a sign that at least some people inside Google may have reservations.

“The fact that Google is taking this preparatory step may be anticipating the worst,” said Ryan Sleevi, a who has contributed code to the Chromium project in the past. “It also seems to suggest that they may have information that PKIoverheid has been compromised or otherwise is untrustworthy through its link to Diginotar. PKIoverheid doesn't appear to have done anything wrong other than associating with DigiNotar.”

It's unclear how many website certificates might be affected by the move, but the number and profile of sites that use DigiNotar's PKIoverheid certificate could be considerably higher than those that rely on DigiNotar's root certificate alone. The site at https://www.nicugehoorscreening.nl appears to offer neonatal intensive care unit services from the Dutch government.

It appears as a valid SSL site under Google Chrome. If the changes under consideration are made, the browser would return an error that it's not to be trusted.

On Thursday, Mozilla Vice President of Technical Strategy Mike Shaver issued a series of tweets that appeared to indicate developers of the Firefox browser and Thunderbird email client were inclined to continue trusting the intermediate certificates. Responding to one Twitter dispatch asking what in one of the excepted certificates suggested it wasn't controlled by DigiNotar, Shaver offered the following response:

“nothing in the cert does. our conversations with the dutch authorities do. it doesn't chain to digitar *root*, right?”

A separate tweet posted Wednesday by Google security researcher Adam Langley said: “PKIoverheid is still allowed for now based on assurances from the Dutch government. Conversation still ongoing.”

Microsoft declined to say whether changes it has made to the Vista and later operating systems block the two PKIoverheid certificates signed by DigiNotar.

The relevant code in the version of Chromium is as follows:

Index: net/base/x509_certificate.cc
diff --git a/net/base/x509_certificate.cc b/net/base/x509_certificate.cc
index e96ece490ad4c32fafb735671317dae35115151e..36b0ed2bfcbf315595eb779922026c954db7d5b9 100644
--- a/net/base/x509_certificate.cc
+++ b/net/base/x509_certificate.cc
@@ -957,7 +957,7 @@ bool X509Certificate::IsBlacklisted() const {
 // static
 bool X509Certificate::IsPublicKeyBlacklisted(
     const std::vector<SHA1Fingerprint>& public_key_hashes) {
-  static const unsigned kNumHashes = 3;
+  static const unsigned kNumHashes = 5;
   static const uint8 kHashes[kNumHashes][base::SHA1_LENGTH] = {
     // Subject: CN=DigiNotar Root CA
     // Issuer: CN=Entrust.net x2 and self-signed
@@ -971,6 +971,14 @@ bool X509Certificate::IsPublicKeyBlacklisted(
     // Issuer: CN=Entrust.net
     {0xe2, 0x3b, 0x8d, 0x10, 0x5f, 0x87, 0x71, 0x0a, 0x68, 0xd9,
      0x24, 0x80, 0x50, 0xeb, 0xef, 0xc6, 0x27, 0xbe, 0x4c, 0xa6},
+    // Subject: CN=DigiNotar PKIoverheid CA Organisatie - G2
+    // Issuer: CN=Staat der Nederlanden Organisatie CA - G2
+    {0x7b, 0x2e, 0x16, 0xbc, 0x39, 0xbc, 0xd7, 0x2b, 0x45, 0x6e,
+     0x9f, 0x05, 0x5d, 0x1d, 0xe6, 0x15, 0xb7, 0x49, 0x45, 0xdb},
+    // Subject: CN=DigiNotar PKIoverheid CA Overheid en Bedrijven
+    // Issuer: CN=Staat der Nederlanden Overheid CA
+    {0xe8, 0xf9, 0x12, 0x00, 0xc6, 0x5c, 0xee, 0x16, 0xe0, 0x39,
+     0xb9, 0xf8, 0x83, 0x84, 0x16, 0x61, 0x63, 0x5f, 0x81, 0xc5},
   };
 
   for (unsigned i = 0; i < kNumHashes; i++) {

It clearly shows two additional DigiNotar certificates, including their serial numbers, that would be blocked if the changes go into effect.

Asked why the source code was originally accessible to everyone and later was restricted, a Google spokesman said: “Code diffs may be private before they are committed. Commits to the tree will of course be public.”


Other stories you might like

  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading
  • Conti: Russian-backed rulers of Costa Rican hacktocracy?
    Also, Chinese IT admin jailed for deleting database, and the NSA promises no more backdoors

    In brief The notorious Russian-aligned Conti ransomware gang has upped the ante in its attack against Costa Rica, threatening to overthrow the government if it doesn't pay a $20 million ransom. 

    Costa Rican president Rodrigo Chaves said that the country is effectively at war with the gang, who in April infiltrated the government's computer systems, gaining a foothold in 27 agencies at various government levels. The US State Department has offered a $15 million reward leading to the capture of Conti's leaders, who it said have made more than $150 million from 1,000+ victims.

    Conti claimed this week that it has insiders in the Costa Rican government, the AP reported, warning that "We are determined to overthrow the government by means of a cyber attack, we have already shown you all the strength and power, you have introduced an emergency." 

    Continue reading

Biting the hand that feeds IT © 1998–2022