DigiNotar Second Step: Blacklisting the Root
By Yngve Nysæter Pettersenyngve. Thursday, September 8, 2011 6:56:46 PM
How we actually implement this revocation is probably going to surprise many readers.
The first part of the revocation -- adding the DigiNotar Root to our untrusted certificate repository -- is as you would expect.
However, during testing we discovered a minor problem. The entry in the untrusted repository worked, when the installation had the DigiNotar Root installed, as it would for somebody that had visited a site issued from that Root. On the other hand, it did not work as intended when the Root was not installed, in those cases it only triggered an "Unknown Issuer" dialog.
There are two reasons for this difference:
- First, the fact that most secure sites do not send the Root CA certificate to the client when the connection is being negotiated (This is allowed if the server expects the Root to be known to the clients)
- Second, the untrusted repository matches a certificate based on the combination of its Subject Name and Public Key, and the Public Key is not known until the certificate containing it is has been processed.
Since the Root Certificate is no longer known by the client this means that there is no certificate that can we can search for in the list of untrusted certificates. Therefore, the site certificate is allowed to pass through to display the "Unknown issuer" dialog.
This problem is due to limitations in how the untrusted functionality was designed and implemented, and we are investigating how to remove this limitation in a future version.
In most cases, this would be sufficient protection. Unfortunately, in this case we are dealing with a CA hierarchy that has been compromised to a degree never seen before, and we cannot allow the risk that a user may accidentally click through one of the warning dialogs.
Thus, the problem with the incomplete chains had to be solved, and the easiest way to do that, while we are working on a more permanent fix, is to ensure that the certificate chain for a DigiNotar issued certificates is complete, with the Root. This is accomplished, in addition to the above blacklisting, by re-inserting the DigiNotar Root back into the certificate repository, but this time the entry is marked with the "Deny access to sites presenting this certificate"-flag, meaning that it cannot be used for SSL/TLS websites. Combined with the untrusted repository entry, this ensures that all "DigiNotar Root CA" issued certificates are blocked.
To users, this will work out as follows:
- Users that never have visited, and never will visit a site with a DigiNotar certificate will never see this certificate, or the untrusted repository entry.
- For users that have previously visited a site with a DigiNotar certificate there will be no change in the Authorities listing; the DigiNotar Root entry will remain unchanged. Should one of these users visit such a site again, the untrusted repository entry will cause Opera to block access to the site.
- For users that have not previously visited a site with a DigiNotar certificate, but at some time visit such a site, the DigiNotar Root will be downloaded and installed in the Authorities repository, but, as mentioned above, with a flag that blocks the access, in addition to the untrusted repository entry that will be used to block access to the site.
The visible result of the website blocking varies a little in various versions of Opera. In older versions an error page with error code "49" will be displayed. In newer versions, due to a bug, a blank page will appear instead. A blank page still provides effective protection, however, we plan to fix the bug in future Opera releases, so that it displays an error page instead.
Getting the update
For desktop users no action is needed, strictly speaking, as the update will be automatically downloaded and configured during the next week. If you would like to get the update immediately, you may do so using the menu option Help > Check for Updates, which will trigger the update.
Users of Opera for Mobile 11.10 (except for Symbian/Nokia, see below) will get the update automatically within the next week. The update can be triggered manually by opening opera:config , search for "Time Of Last Root Certificate Update Check", setting this value to 0, and restarting Opera Mobile. Users of older versions will need to update to version 11.10.
Opera Mobile for the Symbian/Nokia platform does not use Opera's certificate repository, but instead uses Symbian/Nokia's repository, so Symbian/Nokia is responsible for providing any updates for this issue, if an update is needed. According to our testing it does not appear that the Symbian/Nokia repository contain the DigiNotar Root.
Opera Mini will be updated separately, and no action will be needed by users of Opera Mini.