maemo.org - Talk
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

maemo.org - Talk (https://talk.maemo.org/index.php)
-   General (https://talk.maemo.org/forumdisplay.php?f=7)
-   -   [SECURITY] Another compromised Certificate Authority (https://talk.maemo.org/showthread.php?t=88535)

rainisto 2013-01-06 15:42
Re: [SECURITY] Another compromised Certificate Authority
 
Quote:
Originally Posted by nbedford (Post 1311496)
Is opensh needed? or is open mode + devel-su + develsh enough?
yes opensh is needed (or adriane sh), openmode+devel-su+develsh is not enough to get right capas.

But if your in open mode then you can just install opensh with (if you have downloaded the deb package to your device).

Harmattan openmode:
apt-get install wget
wget http://maemo.cloud-7.de/HARM/N9/open...nsh/opensh.deb
AEGIS_FIXED_ORIGIN=com.nokia.maemo dpkg -i opensh.deb

joerg_rw 2013-01-06 17:39
Re: [SECURITY] Another compromised Certificate Authority
 
Quote:
Originally Posted by peterleinchen (Post 1311523)
[...]
For N900 users, please refer to below script.
[...]

Simple script/guide to remove fraudulent CAs:
Code:
#!/bin/sh
#removing fraudulent CAs

echo enter the cert\(ifier\) You are looking for:
read cert
cmcli -T common-ca -L | grep "$cert"

echo now copy the full cert ID ...
read nothing

echo and give it as input \(for removal\)
read certID

if [ `id -u` != 0 ] ; then
    sudo cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    sudo cmcli -c common-ca -r $certID
else
    cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    cmcli -c common-ca -r $certID
fi

echo now open microb and goto
echo chrome://pippki/content/certManager.xul
echo and delete the cert also there in the CA manager
read nothing

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"
sudo cp
and others won't work on sane default sudo setup, so you'll have to run this in a root account instead (install rootsh, do `root`)


Quote:
I have no idea, why we do have them twice. Or if we need to block/delete both. Or if only one is fraudulent ...
According to the google report there were two certs fraudulent.

/j

peterleinchen 2013-01-06 18:16
Re: [SECURITY] Another compromised Certificate Authority
 
Quote:
Originally Posted by joerg_rw (Post 1311592)
sudo cp
and others won't work on sane default sudo setup, so you'll have to run this in a root account instead (install rootsh, do `root`)
/j
Yep, sure. I made this in a rush to get rid of DigiNotar (and for future fraudulents) and did not test out. This would work probably with sudser installed (or manual inclusion of cp/busybox in sudoers :eek:). So please refer to below corrected script (rootsh required).
But why would anybody try to run this as non-root?
Code:
#!/bin/sh

if [ `id -u` != 0 ] ; then
      exec sudo gainroot <<EOF
exec sh $0 $*
EOF
      exit $?
fi

#removing fraudulent CAs

echo enter the cert\(ifier\) You are looking for:
read cert
cmcli -T common-ca -L | grep "$cert"

echo now copy the full cert ID ...
read nothing

echo and give it as input \(for removal\)
read certID

    cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    cmcli -c common-ca -r $certID

echo now open microb and goto
echo chrome://pippki/content/certManager.xul
echo and delete the cert also there in the CA manager
read nothing

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"
Quote:
Originally Posted by joerg_rw (Post 1311592)
According to the google report there were two certs fraudulent.
/j
After reading link provided by aranel, I was also pretty sure.
Thanks for correction/confirming.

sixwheeledbeast 2013-01-19 23:40
Re: [SECURITY] Another compromised Certificate Authority
 
1 Attachment(s)
Should Turktrust still be shown as valid in Smaemo6?

pali 2013-01-20 00:55
Re: [SECURITY] Another compromised Certificate Authority
 
@sixwheeledbeast: This certificate applet had bug - it shown blacklisted certificates as valid. Bug was fixed in PR1.3.1 by this commit: https://gitorious.org/maemo-5-certif...4945c1dce4bf6e

So for blacklisting you *need* PR1.3.1

pali 2013-01-20 00:57
Re: [SECURITY] Another compromised Certificate Authority
 
Quote:
Originally Posted by peterleinchen (Post 1311523)
No, it is due to the cert name begins with "(".
You may check with
Code:
dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"

Yes, there is such possibility. I will put a script (produced at DigiNotar times) at the end of post.


For N900 users, please refer to below script.
For N9 users, do we need to delete that CA also from browser? (but according to open mentioned bug, there is no such possibility?)


Simple script/guide to remove fraudulent CAs:
Code:
#!/bin/sh
#removing fraudulent CAs

echo enter the cert\(ifier\) You are looking for:
read cert
cmcli -T common-ca -L | grep "$cert"

echo now copy the full cert ID ...
read nothing

echo and give it as input \(for removal\)
read certID

if [ `id -u` != 0 ] ; then
    sudo cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    sudo cmcli -c common-ca -r $certID
else
    cp /etc/certs/common-ca/$certID.pem /etc/certs/common-ca/$certID.pem.old
    cmcli -c common-ca -r $certID
fi

echo now open microb and goto
echo chrome://pippki/content/certManager.xul
echo and delete the cert also there in the CA manager
read nothing

dbus-send --system --type=method_call --dest=com.nokia.osso_browser /com/nokia/osso_browser/request com.nokia.osso_browser.load_url string:"chrome://pippki/content/certManager.xul"

--edit
BUT, one more question arises here:
I do see two certificate IDs for TÜRKTRUST

and also in browsers

they do appear twice.
So maybe for harmattan users, you also check bettwer twice?

I have no idea, why we do have them twice. Or if we need to block/delete both. Or if only one is fraudulent ...
After blacklisting is needed to re-run openssl c_rehash script (as root). Certman deb package doing it in postinst script: https://gitorious.org/community-ssu/...on-ca.postinst

Code:
$ perl /usr/bin/c_rehash /etc/certs/common-ca

freemangordon 2013-01-20 01:06
Re: [SECURITY] Another compromised Certificate Authority
 
Quote:
Originally Posted by pali (Post 1315999)
@sixwheeledbeast: This certificate applet had bug - it shown blacklisted certificates as valid. Bug was fixed in PR1.3.1 by this commit: https://gitorious.org/maemo-5-certif...4945c1dce4bf6e

So for blacklisting you *need* PR1.3.1
turktrust root cert was not blacklistet, only the two compromised intermediate certs. so this is not a bug but a feature :D

bng 2014-09-01 21:49
Re: [SECURITY] Another compromised Certificate Authority
 
hi all, can anyone please some up, is N9 with PR1.3 vulnerable, or is it not?


All times are GMT. The time now is 19:45.
Page 2 of 2 1 2
Show 40 post(s) from this thread on one page

vBulletin® Version 3.8.8