Is the key revocation list working? #180
Comments
|
The issue is of extreme importance, but while no official statement has been made, evidence suggests this is more probably a case of API abuse rather than a leak of the private key(s). Also it's interesting to note how other European countries have systems capable of revoking each certificate individually. |
|
But even if it's not a leak, why would some DGCs invalid yesterday become valid today? That is the scope of the issue. Once a single pass or a whole key is revoked, it should be permanent |
Because the system manager was probably playing with enabling/disabling the private key used to generate the fake codes, and discovered that if he disable the key, some millions of valid greenpass are disabled too, so it enabled it back |
|
What happened revealed one of the weak points of the whole DCC thing. If one (ore more) DSC are compromised then there's no way to tell if a signed certificate is genuine or not (unless you verify it directly with the issuer) until the compromised key is revealed to the public. But how many other compromised keys are there on the dark web used by someone to produce fake but still valid certificates? We do not know. However there are a few things we can do to improve reliability of apps like VerificaC19. One thing should by to compare the key IDs with their respective emitting countries (which are known). If i.e. a certificate of an italian citizen signed (according to the data in the code) by the official italian issuer is signed with the french key obviously is a fake. The app, also, should show the country of the signing key so that a verifier can easily report to authorities those people who are from one nation but have certificates signed by another nation (of course all possible exceptions must be taken in account). Just my two cents... |
|
Better leave this security vulnerability as it is because this green pass thing hurts human rights IMHO. Just my two cents... |
|
Fortunately the names of all persons refusing vaccine are recorded for posterity. It will matter. |
@MollerAndre I disagree with the above statement. There are so many individual cases (e.g. a semi-permanent resident working abroad, people who traveled to get vaccinated in advance*) that trying to match the country of citizenship with the country of issuance of the DGC would reveal far too many false positives. *Take Serbia as an intuitive example. While not EU country, there was a time a number of people used to fly to Belgrade just to get the injection 💉 @ALL others, please remain in topic. The topic is: a certificate was first revoked, then re-admitted to validity. |
That's why I wrote that there are exceptions to take into account but consider, for example, italian citizens. If one of them shows a valid certificate signed with the key of Poland, France or another country it's just a bit suspect but still possible... if many of them star showing certificates from the same country that could only mean that there is a flaw in the system. |
|
I agree with @MollerAndre , since as far as we know the Italian servers have not been compromised till now and most of the vulnerable servers seem to be those of extra-EU countries (eg. Macedonia, Vietnam, etc...), I think it would be a very effective way to expose forged certificates regarding Italian citizens; it would be a little harder to tell for tourists and anyone that travels frequently for any reason, but I don't think the number of false positives would be excessive. |
|
I don't know where you got those informations, but compromised servers are
from Italy, Germany and other countries too that I forgot to mention. So this is another motivation to not follow this way, other than the human rights thing, of course.
Il sab 30 ott 2021, 20:09 Valeri0p ***@***.***> ha scritto:
… I agree with @MollerAndre <https://github.com/MollerAndre> , since as far
as we know the Italian servers have not been compromised till now and most
of the vulnerable servers seem to be those of extra-EU countries (eg.
Macedonia, Vietnam, etc...), I think it would be a very effective way to
expose forged certificates regarding Italian citizens; it would be a little
harder to tell for tourists and anyone that travels frequently for any
reason, but I don't think the number of false positives would be excessive.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#180 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOMI7TPQMPWUAQEESCMSDFLUJQ7HVANCNFSM5G4JVHWQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
|
So far there's no proof of fake certificates signed with the Italian key, do you have one? |
Hi. I saw a certificate with the name of "UBISOFT MERDA" and another one with "NEGRO" and something else. I remember those being italian. Btw at the moment I don't have the QR code, but I asked my friend to provide it to me. So I will give you the QRs tomorrow hopefully. |
A certificate with Italian silly names doesn't necessary mean it was signed with the Italian private key. If you can find and attach those QR codes in this thread they can be analysed. |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
This is a spin-off of #103
Here, I don't want to debate on the revocation on individual DGCs, but discuss something odd happened after the leak of blatantly fake DGCs (Hitler, Mickey Mouse...).
I was following the updates on Paolo Attivissimo's blog
Describe the bug
On October 27th, alleged Hitler certificates were considered invalid (the key was likely revoked) on my device. I can still see on Attivissimo's blog that Hiter's certificate was invalid
On October 28th, the certificates posted on the blog AND on #103 by user jumpjack are considered valid
Example certificate (invalid for Paolo Attivissimo, valid for me)
Expected behaviour
Once the revocation list has been updated with revoked keys, certificates issued with those keys must be invalid forever
Steps to reproduce the issue
As described, this is a time-related issue. Initially, the certificates were considered valid, but at least once in October 27th they were considered revoked.
Additional context
All DGC material (alleged QR codes) available at the Attivissimo blog I cited.
I deleted all app data and waited for it to update the revocation list.
Yet again, this issue does not discuss revoking individual fake certificates like #103, but only mass revocation of certificates allegedly issued with the same private key.
The text was updated successfully, but these errors were encountered: