The Opera Rootstore

There is a first time for many things. Sometimes this is positive, but other times it is unfortunate. This time, we're dealing with one of the latter variety.

Today, we have updated the Opera Rootstore and disabled the DigiNotar Root (Note: DigiNotar is not in any way associated with DigiCert, which is another CA).

The reason for this action is due to last week's news about the large scale attack on DigiNotar's CA systems and the subsequent discoveries about what has happened after the attack.

This is the first step in our handling of this incident. We are currently testing further updates that will add the DigiNotar Root to our "Untrusted" repository.

That a CA gets attacked and even tricked into issuing certificates that turn out to be fraudulent is not, by itself, a reason to revoke trust in a Root CA. CAs are high profile targets for criminals given the role CAs have in the online security framework; it is how the CA responds to such events that determine how much we can trust it.

In this case, DigiNotar's response has unfortunately fallen short in many respects, including the following:

• They did not inform the affected websites, the browsers or the CABForum (CA/Browser Forum) about what had happened for more than 5 weeks, and they only did so after one of the certificates turned up being used in a MITM attack against Google websites. This can be compared against the fact that the browsers were informed about the (successful) attack on Comodo, as well as the (unsuccessful) attack on Startcom, within a few days of the events.
• While they did revoke a number of certificates that were fraudulently issued, they did not inform the affected websites, and they did not discover that a certificate for Google's domain had been issued until after Google had learned of the certificate from users being actively attacked with it (a discovery made possible by a recent Chrome security measure implemented for Google's sites) and informed DigiNotar and the browsers about it.
• The reason for the delay in discovering this certificate was that the attackers had tampered with the log information in the certificate issuance system for at least one of the subCAs. It is presently unknown whether the attackers also tampered with the logs for the other subCAs.
• Due to the log problems, it is in fact still unknown how many certificates that were really issued by this system or for what websites! We have seen reports that more than 500 certificates were issued during the attack, with less than 300 being positively identified, according to our information.

For these reasons, we are today discontinuing distribution of DigiNotar's Root.

A couple of points to note:

• No user action is needed to get this update. If your installation does not have the DigiNotar Root installed already, visiting a site with a DigiNotar issued certificate will trigger a "Unknown issuer" dialog; if this happens, click "Reject" on the dialog.
• This first step of our planned revocation does not remove, or untrust, the DigiNotar Root from Opera installations that already have the Root installed. For these installations, sites using DigiNotar certificates will continue to work as before, indicating a secure connection, as will the EV-enabling of the Root until the next weekly download from the repository server (using the menu choice Help->Check for Updates will trigger an immediate update). For advanced users: if your installation has this certificate, and you want to untrust it now, you can do so by following these steps:

1. Go to the Root Certificate Management dialog in the Menu->Setting->Preferences->Advanced
   Preferences->Advanced->Security->Manage Certificate->Authorities.
2. Locate the "DigiNotar Root CA" entry and click "View".
3. Uncheck the "Allow connections to sites using this certificate".
4. Click "OK" on the viewer dialog, the Certificate Manager and the preference dialog.
5. The DigiNotar certificate is now untrusted, and visiting sites issued from the Root will cause Opera to refuse to connect to the site, without displaying a certificate warning.

Please note that this action does not affect the Dutch Government CA "PKI Overheid" Root CA, which is in the process of revoking the subCA certificate they issued to DigiNotar.

In relation to these events, the browsers and the Certificate Authorities in the CABForum are monitoring the situation and are discussing further improvements to how certificates for secure websites work, both in browsers and on the CA side.


Update Sep 8: Second stage deployed.

Today, we have updated the Rootstore with the following:

• CNNIC, the Chinese Registrar and CA have been EV enabled. As
  part of this, a new EV-enabled Root was added (the old is not EV-enabled). Testsite
• An update of the Public Suffix list, adding the suffixes gob.ec
  and bv.nl. Version 1.5 is available for download from our source repository.

Additionally, the "major" update is due to the recent attack on the CA Comodo^1,2, where an attacker was able to hack into an account and trigger the issuance of 9 certificates for major communication sites (a few other accounts have apparently also been compromised, though no certificates have been issued from these accounts according to our information). Rumors are flying about who was behind the attack, and why, but I will let those rest.

We learned of the attack late evening March 16th, and, by then, the issued certificates had already been revoked by Comodo for more than 24 hours (Comodo detected the attack within a few hours).

I evaluated whether to update the Rootstore Untrusted list of certificates with those certificate already that week, but decided not to do so at the time, in particular since Opera's blacklist could not blunt any attack within the 2 days remaining of the pre-revocation OCSP response validity, and there had been no accesses for the revocation information in the open window.

Also, after the (possible) pre-revocation OCSP responses had expired, any attempt to block revocation checking would remove the secure indication of the site when loaded by Opera, so any users that are keeping an eye on the padlock (we know that a lot you do) would be protected, so after that time the certificates could not in any way have been used to flag pages as secure in Opera.

Another consideration is that the Untrusted list is not intended to be an extra revocation list for normal certificates; it is only intended to include problematic certificates that cannot be revoked in any other fashion, such as the MD5 collision cert a few years ago or a renegade Root CA.

Adding fraudulently issued certificates is not among the list's intended uses, except in special situations. The reason is that revoking those certificates is what the revocation lists (CRLs and OCSP) are for.

At present, however, we have a situation where it is not practical to refuse access to a secure site because the browser cannot access up-to-date revocation information, particularly since the responders have occasional momentary down periods. Opera removes the padlock if we can't get the revocation information, as far as I know Chrome puts a (Golden? Shouldn't that have been red?) warning triangle over the padlock, others give no indication at all that there was a problem.

In the aftermath of the Comodo incident, several participants in the discussion, including me, have suggested that we should move towards stricter requirements regarding having revocation information available before allowing a secure connection to complete.

There are several downsides to this, particularly that it requires exceedingly high stability for the revocation servers, and there is also an implied requirement that all browsers need to do this policy change at the same time, to provide the same user experience.

The stability requirement can be worked around by requiring secure servers to implement TLS OCSP stapling, an extension to the TLS protocol where the TLS server caches its own OCSP response and sends it to the client when it connects. This saves the extra roundtrip for the client when it retrieves it directly, and provides an up-to-date status. There are two problems at present: 1) only 3% of servers support the extension and 2) to be truly useful, all the revocation info for all the certificates in the server's chain needs to be included, and that is currently not possible; but I have submitted a proposal to the TLS WG that would allow that (although there are some concerns that the extra data will cause performance issues for big sites).

In the meantime, using a blacklist may be the best option for limiting impact, but it is also an option that does not scale in the long run, and it also has a relatively long deployment time, compared with revocation. Excluding time for users to update, it took the browsers that shipped blacklist updates last week a week to ship their updates, and that was probably achieved by pushing their release cycles to the limit. Even this Rootstore update took a week to prepare.

In this case we have decided to follow the other browsers, and update our Untrusted list with these certificates, and we might continue to do so in the short term, should there be more incidents, but in the long term other solutions will have to be found.

The are some things to note, even though I hope none of you will ever encounter any of these certificates in the wild:

• Only 7 of the 9 certificates are included, due to the ID of two certificates colliding with a third certificate; the ID is based on the certificate's subject name and public key. This problem is due to a design error in the repository handling; plans are under way to fix the problem.
• The blocked certificates are only pushed to Opera 9.5x and 9.6x versions, since they are not able to use the newer dynamic system. The above point means that two certificates are not installed in those version and are not blocked. In all other versions, there is no visible indication of the list having been updated.
• In newer versions the blocked certificates are only downloaded if they are ever needed. If the download fails, the certificate will still be blocked, which also means that the two certificates not in the list will actually be blocked anyway.
• In Opera 10.x before 10.50, the certificates will be blocked in the way the functionality was designed, by displaying a message that the certificate is untrusted.
• In Opera 10.50 and later, including 11.10, there is a bug. While the blocking works, it works by either showing a blank page or a "Could not connect" message. We are looking into this.
• If the blocked certificates are ever encountered, by Opera 10.0 or later, revocation is checked first, and only if the certificate is not revoked (or the information could not be retrieved) will the untrusted list be consulted.

This update will propagate to all Opera versions that support the online Rootstore during the next week; if you are impatient, just use Menu->Help->"Check for updates" to fetch it (The CNNIC EV-site mentioned above can be used to test that you got the update).

Summary: Opera users who consult the security indication could not have been tricked into believing a site with the fraudulent certificates was secure once the Comodo revocation lists became authoritative, the addition to the blacklist is an extra security measure that strictly speaking is not necessary. No action is needed by our users to download this update.

The Opera Rootstore has been updated with several new Roots, a new CA has been EV-enabled, and a new file has been added to the Public Suffix repository.


Extended Validation:

• Unizeto/Certum, a Polish CA, has now been EV-enabled. Testsite

New Roots:

• AffirmTrust: This is a new US-based CA, headed by people that worked at Geotrust before it was acquired by Verisign. Test sites: 1, 2, 3
• GoDaddy: This popular US ISP and CA has added 3 new EV-enabled Roots signed using SHA-256, a more secure signature method. Test sites: 1, 2, 3
• Taiwan CA (TWCA): This a CA is based in Taiwan. Test site
• TrustCenter: This is a German CA that has been in Opera for a while. They have created two new Roots to take over when some of their
  older certificates expire in January 2011. Test sites are not yet
  available (this article will be updated when they are) Testsites: CA-1 and CA-3.
• StartCom/StartSSL : This is a CA based in Israel which has gathered
  a following. We received quite a few requests to include it, and the wait
  is now over. Test site

AffirmTrust, GoDaddy and Taiwan CA were all added at the end of April, but due to problems with some of the test cases this announcement was delayed.


Public Suffix

• To improve performance for the Public Suffix handling in upcoming versions, we have created a new file that collects all the specifications into a single file. This does not affect the existing files. The updated distribution (Mozilla Tri-License) version 1.2 is also available from our repository.

The new file is "all.tlds.xml", and it contains a "<tlds>..</tlds>" element containing multiple "<tld>..</tld>" elements. The draft describing the format has not yet been updated with this addition.

GlobalSign have added a SHA-256 signed Root to the repository. This is a step preparing for a future changover to using SHA-256 when signing certificates. Currently there are no test sites available.

As mentioned earlier when we updated two of their certificates, Verisign have been updating some of their certificates that were signed with MD2 so that they are signed using the more secure SHA-1 method instead. However, there were some problems with the Class 3 (G1) certificate chain as all the intermediate certificates issued by the Root were chaining to the old MD2 Root because they specified the serial number of that certificate. Therefore new replacements for the intermediates had to be issued as well.

Unfortunately, testing showed that at this time it is not practical to update older versions (9.5 and 9.6) to use this Root due to a bug in the certificate verification code (updating the older clients would "break the Web"). This combined with missing functionality in the repository language meant that to be able to use the new Class 3 Root we had to create a new version of the repository ("03") where the "02"-version's shortcomings have been fixed, which will be used by upcoming releases of 10.0. In the upcoming versions of 10.0 MD2 support will be completely disabled. Further down the road when "all" servers have been updated with the new intermediates we may replace the certificates for older clients, too.

The fourth RSA root signed with MD2 (the "RSA Secure Server Certification Authority" Root) is now being replaced in all 9.50+ builds, as it does not have the problems mentioned above. This certificate is also being phased out, so it is not going to remain in the repository for long; it expires early January.