Distrust Symantec root certs #14537
Comments
ChALkeR
added
security
|
New updates:
Symantec is selling its CA business to Thoma Bravo, the company behind DigiCert. |
|
Mozilla has decided to follow Google. https://groups.google.com/d/msg/mozilla.dev.security.policy/Oaeqtddo_Cw/lN-Pp6h1AAAJ I would like to see how they deprecate and remove them from certdata.txt if we can make it by just updating root certs. |
|
I was going to suggest the same thing: just wait until NSS removes them from certdata.txt, then upgrade. |
|
@bnoordhuis I have two questions about that approach. The main one is: do I underdtand correctly that the removal from The second one, time-constained question is — do we want to emit deprecation messages under |
That doesn't have to be an issue. We can (and do) upgrade root certificates in minor releases.
Dunno. It's probably only an annoyance for node.js TLS clients because they don't control what certificate is served to them. For node.js TLS servers, I don't know if it's worth the effort. I expect more users will find out through their browser than through |
|
@nodejs/tsc is this something we want to do for 10.0? |
|
Adding |
Trott
added
the
tsc-agenda
|
I'm 👍 in removing the affected root certs for 10. We should probably think doing it in 8 as well. |
|
+1 from me for removing the certs in 10.x and for backporting. |
|
+1 for removing in 10.x |
|
+1 |
|
Since there's multiple 👍 and no objections, does this still need to be on the TSC agenda? |
|
Summoning @Trott as he was the one who added the label 😆 |
|
@fhinkel Happy to remove it from the agenda. If anyone (members of TSC or not) have concerns or objections, they can add it back to the agenda. (Our governance rules are that anyone can add anything to the TSC agenda.) |
Trott
removed
the
tsc-agenda
|
+1 from me, and backporting to all the things |
|
@nodejs/tsc @nodejs/crypto ... If this is going to make it in time for 10.0.0 it really needs to get landed today. |
|
I only identified what certificates would need to be distrusted, I didn't write any code. What about you, @ChALkeR? (FWIW, I also don't think any action is needed right now but maybe that's just me.) |
|
If that's the case, then awesome :-) Just want to make sure nothing slips through. I'll take this off the 10.0.0 milestone. Please add it back on and give me a heads up if it definitely needs to be added back. |
ChALkeR
changed the title
|
Is this likely to happen for v11 given the dates in #22180? |
|
This didn't happen in 10 nor 11. Is this likely to happen for 12 or should we just close this? If we do want it to happen, what needs to be done? @nodejs/tsc @nodejs/crypto |
|
Mozilla delayed to distrust Symantec Cert to Firefox64, probably mid of Dec. I think it is better to wait for it until Mozilla does it. |
ChALkeR
changed the title
|
I'm going to close this per @shigeki's comment. Symantec's certificates are still present upstream. |
|
@bnoordhuis, um, @shigeki's comment was from last year and it was about December 2018. The distrust happened in Firefox 64, according to the release notes: |
|
@ChALkeR They're still present in upstream NSS (v3.42.1 as of this writing), which is where we get our root certificates from. I thought we were taking the approach I mentioned in #14537 (comment) but if we're going to perform active blacklisting, then someone needs to write the code and be quick about it too because the release is next month. |
|
/to @nodejs/security @nodejs/security-wg As I understand it, the question is whether we should deviate from the standard root update process, or not? If Node.js is going to start overriding the Mozilla trust decisions, we should have a pretty good reason. They have a well-defined process for deciding trust, I don't think we do. |
|
More info about Mozilla impl of the distrust: https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec The opt-out flag This is how the distrust is applied: The default value is |
|
So Mozilla is not trusting Symantec by default but are still shipping root certs in NSS .. I suppose this is to be maximally compatible with users who still need that option .. I think it would be entirely consistent of us to apply a similar rule and maybe that simply means editing our update process to explicitly strip out Symantec (some There's plenty of +1's here to support this. Removing during 12 is going to be trickier than adding it back in if we find out we made a terrible mistake. |
|
@rvagg, looking at the code -- it's not going to be that simple, I suppose. There is a set of whitelisted intermediates, listed on https://wiki.mozilla.org/CA/Additional_Trust_Changes#Symantec, and applied here:
Simply sedding out root Symantec certs would break those trusted intermediates, wouldn't it? Perhaps it would make sense to postpone things till the next major release, because (at least as I currently understand things) the code for this particular distrust isn't going to be very nice. On the other hand, we don't need e.g. |
|
Hah, yeah that whitelist does make it kind of complicated, I'm still inclined to just rip all Symantec out but that's not easy to justify without any data on how many certs were issued by those itermediates So we wait then I guess, unless someone comes up with some code that can mirror that solution and graduate us toward full removal. We could backport a |
|
I'd be OK with ripping symantec certs out for 12.0.0, and seeing if there is an uproar. If not, fait accompli. If there is pushback, there is 6 months to stabilize, they can be added back (or the whitelist code added). |
ChALkeR
changed the title
|
@rvagg @sam-github Off-hand, I don't think that it's a good idea to block certs that are specifically whitelisted by Mozilla and Google. Exactly because of the "overriding the Mozilla trust decisions" point. In #14537 (comment), you mentioned "overriding the Mozilla trust decisions", but what I was proposing was the opposite of overriding Mozilla trust decisions -- it was following them, instead. NSS alone does not perfectly represent Mozilla trust decisions for Firefox, NSS + overrides inside FF do. We have NSS, but we don't have the overrides, this is where the difference comes from. Blocking more than Mozilla does (by ignoring the whitelist) is most likely not a good solution, imo. It is still not clear what to do here, I'm conflicted. I'm going to briefly mention this tomorrow for more discussion and input, I think? There were some thumbs up earlier, but those people have not commented after the situation became more clear yet. |
ChALkeR
added
the
tsc-agenda
|
@ChALkeR I also said "have a good reason". :-). The technical challenges of reproducing the Mozilla whitelist code is compelling (to me), but its uncomfortable having to make this decision, especially on little data. We have three options:
If we try This discussion is mostly about Mozilla, because that is where we get our certs from, but what about Chrome or the other browsers? Does anybody know what they are doing about this? |
|
This was mentioned in the TSC Meeting today (nodejs/TSC#673), @rvagg proposed to give this more time and to move the decision to a minor 12.x release instead (meaning a removal from 12.0 milestone), perhaps with a note in 12.0 release that certs trust could be updated in a minor release. There were no objections to potentially landing the distrust in a minor 12.x release, if that happens before it goes into LTS mode. |
|
And for anyone in here that's especially keen on this happening—you could help do this work because there's nobody obvious stepping up at the moment to do it. I'm imagining copying that mozilla logic such that we blacklist Symantec but whitelist the intermediates in question. That could go in as the default behaviour in 12 before LTS (October this year) with a command-line argument to revert to original (full trust) behaviour to help people with breakage ( |
ChALkeR
removed
the
tsc-agenda
|
Another five months have passed and no one has put up a pull request so far. The deadline is 2019-10-22, that's when v12.x LTS starts. |
|
We've gone nearly a full year on this and it hasn't happened. ping @nodejs/crypto |
|
I'm going to close this out because it's unlikely to happen, not at this point. The cutoff was over a year ago. |
Similarly to #9434, I think that we should follow Google/Mozilla on this one, too.
I'm opening this in advance as it deserves some messaging and announcements in advance, after the decision would be made.
Refs:
google.comandgmail.comcerts, issuing certs after deadline, vulnerabilities, audition failures, etc.).Not yet listed on the
CA:Symantec_Issuespage: https://blog.hboeck.de/archives/888-How-I-tricked-Symantec-with-a-Fake-Private-Key.html (also I believe that this came up after Google/Mozilla drafted the current plan).The final roadmap for Chrome is (dates are approximate as usual per Chrome release schedule):
That's around Node.js 9.0 release.
That's around Node.js 10.0 release.
That's around Node.js 11.0 release.
The roadmap for Mozilla is not final yet, but it's expected that they will reject all Symantec-signed certs starting from October 16, 2018 (Firefox 63) or November 27, 2018 (Firefox 64). There also is an intermediate step, that they are considering to place somewhere between December 1, 2017 and April 2018, as I understood things.
So, for Node.js, I would propose to:
--pending-deprecationfor Node.js 9.0 release, ref: src, buffer: add --pending-deprecation flag #11968, cc @jasnell.Chrome will start logging those to DevTools console in October 2017.
I don't think that we should print those deprecation messages by default at all, as those will most likely be just thirdparty website issues that will just confuse users in most cases, and they will be forced to fix that by browsers.
/cc @shigeki, @bnoordhuis, @indutny specifically and @nodejs/ctc in general.
This also affects Thawte, GeoTrust and RapidSSL certs.
The text was updated successfully, but these errors were encountered: