Re: SSL Bump Certificate Blacklist from Alex Rousskov on 2011-09-15 (squid-dev)

From: Alex Rousskov <rousskov_at_measurement-factory.com>
Date: Thu, 15 Sep 2011 10:31:35 -0600

On 09/15/2011 09:17 AM, Fabian Hugelshofer wrote:

> You probably all have heard about the compromise of the DigiNotar CA
> [1]. This CA operated as intermediate certificate authority in several
> trust chains. One of this chains is the "Staat der Nederlanden Root CA".
> This CA has not revoked the DigiNotar intermediate CAs until today.
>
> Popular Browsers (at least Mozilla, IE, Chrome) have implemented
> blacklists that block certificates that are known to be fraudulent or
> are signed by a compromised CA. Chrome blocks certain serial numbers of
> server certificates and certain hashes of CA certificates [2]. QT blocks
> certain combinations of serial numbers and common names [3]
>
> As I understand it is currently not possible to protect users of Squid
> with SSL bump from certificates that have been issued by the DigiNotar
> intermediate CA in the Staat der Nederlanden hierarchy (as long as this
> root is not removed from the list of trusted CAs).
>
> Are there already plans to implement similar blacklists or ACLs in Squid
> similar to what most browsers did?
>
> How would you implement such a blacklist? Would you introduce a new ACL
> that can be used to black- or possibly whitelist certain certificates?

Can we rely on OpenSSL library and its Certificate Revocation Lists
support? Have you tried using CRL for this purpose? I see Squid code
that loads CRLs but I have not tested it.

> What would you use to identify the certificates?
> - Serial number?
> - Serial number and common name?
> - Serial number and issuer?
> - Fingerprint (might not be available in each case)?

I hope somebody already answered these important questions in general
CRL context!

Thank you,

Alex.

> PS: I am not subscribed to the list. Please include me as CC in your reply.
>
>
> [1]
> http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
>
> [2]
> http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate.cc?revision=99534&view=markup
>
> [3]
> http://qt.nokia.com/files/qt-patches/blacklist-diginotar-and-comodo-certs.diff
>
Received on Thu Sep 15 2011 - 16:32:19 MDT

This archive was generated by hypermail 2.2.0 : Fri Sep 16 2011 - 12:00:05 MDT