Implementer's notes

The drafts I have written about Opera's DNS heuristic used to check cookie domains and the online "subTLD" information system that I suggested to replace it have now been refreshed.

There are no changes in the DNS heuristic draft, but the subTLD draft have been updated based on my experience with implementing the Public Suffix (a.k.a. SubTLD or Effective TLD) support that is planned for future versions of Opera (well past v10.0). As a result, the certs.opera.com server which is used for Opera's online Root Certificate repository has now started hosting Opera's XML based Public Suffix List,
based on and generated from the Public Suffix List project's list. The XML files are also available as a single download (without the digital signature, under the Mozilla Tri-license (MPL, GPL, LGPL) from our online download location.

The drafts are available at

draft-pettersen-dns-cookie-validate-05.txt (archive)

draft-pettersen-subtld-structure-05.txt (archive)

See also the Rootstore update.

draft-pettersen-dns-cookie-validate-05.txt
draft-pettersen-subtld-structure-05.txt

I've once again refreshed my HTTP Cookie and Cache related Internet Drafts. The drafts have been discussed here a couple of times before, but to summarize:

draft-pettersen-dns-cookie-validate-04.txt (archive)

This Draft describes Opera's current heuristical approach to avoid sending cookies to registry-like domains like co.uk (The "Cookie Monster Bug"). First discussed here.

draft-pettersen-subtld-structure-04.txt (archive)

This Draft describes an improved approach to handling the "Cookie Monster Bug", using an online black list of registry-like domains. Also first discussed here.

The Mozilla team's work on "Effective TLDs" is based on an early version of this suggestion. The result of this work is now available from PublicSuffix.org, and is AFAIK currently used for one or more features by Chrome Beta, FF3, and IE8 Beta.

To reduce the complexity of the specification, and to avoid excluding possible solutions, I have now removed the previous suggestions for how the repository should be generated, and just shortly mention some possibilies in the Appendixes.

draft-pettersen-cookie-v2-03.txt (archive)

This Draft describes the ideal solution to the "Cookie Monster Bug", that everybody starts using a new format for cookies that completely remove the problem. First discussed here.

draft-pettersen-cache-context-03.txt (archive)

This Draft describes a method for giving sites a method to tell the client that a group of webpages are related, which can be used to better organize logouts. First discussed here.

draft-pettersen-dns-cookie-validate-04.txt
draft-pettersen-subtld-structure-04.txt
draft-pettersen-cookie-v2-03.txt
draft-pettersen-cache-context-03.txt

The W3C's Web Security Context Working Group have just released the Last Call version of its "User Interface Guidelines" document, which is a set of recommendations for the security related UI in Web User Agents.

This specification deals with the trust decisions that users must make online, and with ways to support them in making safe and informed decisions where possible.

This document specifies user interactions with a goal toward making security usable, based on known best practice in this area. Subsequent testing of this specification will include conformance, interoperability, and usability testing.

If you want to comment on the document you are welcome to do so:

The W3C Membership and other interested parties are invited to review the document and send comments to public-usable-authentication@w3.org (with public archive) through 15 September 2008. We appreciate if comments follow these guidelines for writing good issues.

There's been a number of criticisms directed at the padlock over the years, some of which may be correct, to some extent, at least.

One objection has been that users misunderstand the padlock's meaning, thinking it is an indicator of trustworthiness, rather than a protection rating for the connection.

Another objection (which flies in the face of the first), is that "nobody checks the padlock".

Well, I can't say much about the correctness of the first objection, but the past couple of weeks a growing number of Opera users have been working hard at debunking the second one.

In Opera 9.50 we added some new security features, and changed a some others. Two of these are the following:

• We now use HTTP GET requests to retrieve OCSP revocation information
  
• Additionally we download further revocation information, the CRLs (Certificate Revocation Lists), from the issuer and check those.
  

Both of these turned out to encounter unexpected problems, not due to bugs in our implemenation, but at the CA side. In all cases the problem cause full validation of the certificates to fail, and as a result Opera reduces the security level of the connection so that a padlock will not be displayed. Quite a lot of people noticed.

For OCSP we encountered problems with at least three different brands of OCSP responders. These responders did not respond correctly when we sent a request for infromation about a certificate. It wasn't until a couple of weeks ago that the vendor for one of them discovered the reason for the problem, their expectation of input format was wrong. According to my information they have developed a patch, and I assume they are doing QA on it now, before sending it to the two (or more) CAs that are affected by this. The others have shown up recently and I do not have good information about the causes.

With CRLs we encountered two problems. Just before 9.50 was released we got the first reports about the first case, but it was not until a few days after the release that we got an overview of the situation.

It turns out that one specific CA created an intermediate certificate a few years ago for one of their certificate hierarchies. This certificate included an incorrect URL for where we should go to fetch the CRL, so when Opera fetches the CRL it gets a CRL created for a different hierarchy than the one being verified. As a result Opera's ceritificate validation code can't find the right CRL, and this step fails. This certificate became installed on thousands of servers before the mistake was discovered, and despite a campaign to replace the certificates, several hundred sites (many of them banks) still use the old certificate.

In another case, which came to light last week, another CA have issued an intermediate certificate directly below their root that does not contain a URL for a CRL, but the sub-ordinate certificate issued from that intermediate does specify a CRL. As Opera's certificate validation code expects that if one certificate have a CRL they all use CRLs, validation of the topmost intermediate certificate fails because it can't find the CRL for that certificate.

What can be done about this?

• About the OCSP issue, we wait for the vendor patch, but in Opera 9.51 we have added an override that lets us use the certificate update system to specify which OCSP URLs that must use the old POST method. In addition one CA also deployed a workaround.
  
• About the first CRL issue, the websites need to update their installed certificates, in the second case the CA must also issue a new updated certificate. While waiting for that, in 9.51 we are adding a similar override mechanism as for OCSP, by specifying extra CRL download locations for specific CAs. In the second case we might also be able to fix the issue if the CA has a root for that particular CA name by distributing it to all installations that access the affected sites (that is not a realistic option for the first case).
  

These changes will be active in the upcoming Opera 9.51 RC2 (Update: Now available), and is already active in the online certificate repository. You will get the updates the next time Opera checks for updates, or if you use Help->Check for updates.

Update July 9: There are some sites with certificates that does not provide any CRL or OCSP information in the site certificate, while the rest of the certificate in the chain have CRLs. Due to a minor bug, and restrictions in the override functionality, the override for that will not become active before 9.52 has been released. At present we are only aware of 10-20 sites affected by this.

A few hours ago the new online certificate repository that the most recent weeklies are using was updated with several new roots, and an additional CA, Comodo, was also provisionally EV-enabled

The new and the updated CAs are

• America OnLine
  
• Cisco
  
• Comodo
  
• Digicert
  

There is no need to download an updated Weekly (if you have one of the two recent ones). When you next restart one of the Opera 9.50 Weeklies with support for online certificate updates, it will immediately download the indexes, and download the new certificates when necessary. Please give it a minute to finish the update.

Here are a couple of testsites:

• AOL: https://new.aol.com/ . This site will verify in newer versions, but not in older (Warning about issuer). Known problem: The security level is low due to problems with the CRL (Unsupported format, and currently no plans to support it. The connection will fail in the first build). AOL is aware of the problem, and was already working on updating their CRL system
  
• Comodo EV sites:
  
• https://www.sslcertificaten.nl/
  
• https://comodocertificationauthority-ev.comodoca.com/
  
• https://secure.comodo.com/example.html
  

Known Issues: The complex certificate chain system used by Comodo encounters some, mostly hidden, problems with our OpenSSL certificate verification support, and that will cause some EV sites to not be recognized. We will try to fix it, but it may not be advisable to include a fix in 9.50.
[*] DigiCert:

• https://vpn.osrmedical.com/Citrix/AccessPlatform1/auth/login.aspx In older versions this will validate to an Entrust root (see in the Certificate details view of the security toolbar dialog), after this remote update of 9.50 the root will instead be "Digicert High Assurance".
  
• https://www.iwanttss.com/ In older versions this site will trigger an unknown issuer warning, after this update it will also validate to "Digicert High Assurance"
  

I do not currently have testcases for Cisco, as they have not yet started issuing certificates from the new root.

More about known issues:

• We know there are some problems with OCSP and CRL responses (the two kinds of revocation information) from some Certificate Authorities. These problem may lead to the website getting a lower security level. We are looking into these problems together with the CAs. In last week's build some of the CRL problems will cause a "Fatal Error 50", in the most recent build that has been fixed. We may decide to work around some of these, but they should preferably be fixed by the CA.
  
• At least one CA (who is not in our repository) is using CRLs with a critical extension, which will cause the secure connection to fail with error code 554. In this case we are following the standard, although one might wonder why the specification says "Although the extension is critical, conforming implementations are not required to support this extension". The problem have been "fixed" internally by recognzing the extension, then ignore it, as we do not need it.
  

.