Additional EV-OID for Izenpe, untrusted certificates, and public suffix update
By Yngve Nysæter Pettersenyngve. Friday, November 20, 2009 3:07:20 PM
We have also added a few certificates to the list of untrusted certificates.
* Two of these certificates leveraged differences (related to handling of NUL bytes) in the processing of hostnames between a CA's domain name checking systems and some browsers to trick the CA into thinking it was validating a certificate for www.mybank.com<nul>.www.example.com, while the browser would think the certificate was for another site, www.mybank.com, which could facilitate a Man-In-The-Middle attack on the user. While the issuing CA has revoked these certificates we are taking the extra precaution of adding the certificates to the list of untrusted certificates. Therefore, they will not accidentally be accepted by users if the revocation system fails. Both CAs and browsers have been fixing the related issues, and Opera included fixes for this issue in Opera 10.00.
* Additionally, in preparation for future code changes in Opera Presto 2.4, and just to be on the safe side, we have added two object signing certificates that were issued in 2001 to someone pretending to act on behalf of Microsoft. While these certificates have long since expired, the possibility exists that they could still be used maliciously.
These certificates are only downloaded and installed in the untrusted repository when they are actually encountered.
In version 1.1 of the Opera Public Suffix list we have added the domain operaunite.com as a public suffix domain. We have also submitted a patch request to the Public Suffix project and to Microsoft for inclusion of the domain in their lists. The updated version is available from our repository.