Additional EV-OID for Izenpe, untrusted certificates, and public suffix update
By Yngve Nysæter Pettersen. Friday, 20. November 2009, 15:07:20
The Basque CA Izenpe (EV-enabled in September) is preparing a new line of EV certificates to be used by Spanish government web sites. These new certificates are mandatory for all the public administrations according to the 11/2007 law. Currently, only Izenpe is able to issue these certificates as EV because Izenpe is the only Spanish CA certified to issue EV certs. Izenpe have designated an extra EV-OID for this line of certificates. This new OID has now been added to the list of OIDs recognized for the Izenpe EV Root. This is the first time a CA has had two EV-OIDs enabled for the same Root in Opera. A testsite is available
We have also added a few certificates to the list of untrusted certificates.
* Two of these certificates leveraged differences (related to handling of NUL bytes) in the processing of hostnames between a CA's domain name checking systems and some browsers to trick the CA into thinking it was validating a certificate for www.mybank.com<nul>.www.example.com, while the browser would think the certificate was for another site, www.mybank.com, which could facilitate a Man-In-The-Middle attack on the user. While the issuing CA has revoked these certificates we are taking the extra precaution of adding the certificates to the list of untrusted certificates. Therefore, they will not accidentally be accepted by users if the revocation system fails. Both CAs and browsers have been fixing the related issues, and Opera included fixes for this issue in Opera 10.00.
* Additionally, in preparation for future code changes in Opera Presto 2.4, and just to be on the safe side, we have added two object signing certificates that were issued in 2001 to someone pretending to act on behalf of Microsoft. While these certificates have long since expired, the possibility exists that they could still be used maliciously.
These certificates are only downloaded and installed in the untrusted repository when they are actually encountered.
In version 1.1 of the Opera Public Suffix list we have added the domain operaunite.com as a public suffix domain. We have also submitted a patch request to the Public Suffix project and to Microsoft for inclusion of the domain in their lists. The updated version is available from our repository.
We have also added a few certificates to the list of untrusted certificates.
* Two of these certificates leveraged differences (related to handling of NUL bytes) in the processing of hostnames between a CA's domain name checking systems and some browsers to trick the CA into thinking it was validating a certificate for www.mybank.com<nul>.www.example.com, while the browser would think the certificate was for another site, www.mybank.com, which could facilitate a Man-In-The-Middle attack on the user. While the issuing CA has revoked these certificates we are taking the extra precaution of adding the certificates to the list of untrusted certificates. Therefore, they will not accidentally be accepted by users if the revocation system fails. Both CAs and browsers have been fixing the related issues, and Opera included fixes for this issue in Opera 10.00.
* Additionally, in preparation for future code changes in Opera Presto 2.4, and just to be on the safe side, we have added two object signing certificates that were issued in 2001 to someone pretending to act on behalf of Microsoft. While these certificates have long since expired, the possibility exists that they could still be used maliciously.
These certificates are only downloaded and installed in the untrusted repository when they are actually encountered.
In version 1.1 of the Opera Public Suffix list we have added the domain operaunite.com as a public suffix domain. We have also submitted a patch request to the Public Suffix project and to Microsoft for inclusion of the domain in their lists. The updated version is available from our repository.
WIDGETIZE