Schneier on Security

Rowena • November 11, 2022 9:26 AM

@ lurker,

Nope, just a bit of experience sifting through gizzard contents. So I find my browser’s Cert. store:
Q1, what’s XYZ doing in there?;
Q2, what will break if I remove it?

In my experience, it’s more like “here’s a list of 200 authorities, shown 6 at a time, and how the hell do I remove them without like 600 separate clicks?” “Ah, Firefox supports multi-select”, one might think. Nope; if you select the whole range, you’ll have selected folders, and that disables the Edit Trust button. Those who meticulously de-select the folders may be surprised to find that the Edit Trust button then opens about 150 separate dialogs, one after another. It’s moot anyway, ’cause one can’t see the trust settings on the Authorities list, and stuff will sneak into there at every (likely automatic) update.

The “real” way to disable the built-in authorities in Firefox or Chromium, for those wondering, is to make sure the browser can’t load the actual “nssckbi” library. On an ELF platform, replace it with a real and empty ELF library; using the “bwrap” tool, a.k.a. bubblewrap, is the easiest way, ’cause some browsers can get past $LD_PRELOAD unless you hook the dlopen() function. You can then add your own authorities—or individual certificate exceptions, which I recommend for sensitive contexts such as banking profiles. (You’ll find, by the way, that Chromium tries to validate something signed by “Google Trust Services” several times before you load any page, even if you think you’ve blocked all Google telemetry etc. and configured URLAllowlist and URLBlocklist very strictly.)

Rowena • November 11, 2022 8:18 PM

lurker, I’m not too familiar with the format of the certificate store, but I know “certutil” is the command-line tool to work with it. It is… not user-friendly, especially when trying to edit an existing database. But if you save a bunch of TLS server certificates (in Firefox, click the lock, “connection secure”, “more information”, then “PEM (cert)” beside “Download:”), there’s a tool on Github to generate a cert_override.txt that can be dropped into a Firefox profile directory. Or for Chromium, run for each certificate:

cat foo.pem | openssl x509 -pubkey | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | base64

Then prepend “–ignore-certificate-errors-spki-list=” to each hash and add these as command-line options.

It’s easy enough to script other of these to auto-generate, on browser startup, from a PEM directory stored in git. No SQL hackery required, though perhaps one could do similarly for a bunch of CA certificates and use certutil to re-create an NSS database from scratch each time (as I imply above, it’s easier to delete the old one than try to fix it). Probably a libnssckbi.so could be generated too; or to be a bit more clever, use a DLL constructor function to populate the list on dlopen. Debian-derived distributions keep a bunch of PEM certificates at /etc/ssl/certs that could be used for this purpose (and will ask before adding CAs there, if configured to do that); OpenSSL uses it but for some reason the packaged Firefox and Chromium don’t.

Rowena • November 17, 2022 4:03 PM

Today in sketchy certificate authority news: e-Tegra, a Turkish CA, was using default credentials for some publically-accessible administration pages. Helpfully, the site told visitors which name and password to use. A different section of their website allowed anyone to create their own admin account—with no verification, of course—to look at things such as pictures of people’s passports.

The linked page references the “CA/B Forum Network Security Guidelines”. In fact, CA/B claim these to be requirements (not guidelines), despite several “SHOULD” statements and other escape clauses. Oddly, since this account was accessible outside a “Secure Zone”, the rules only required an 8-character password; whereas had access been properly restricted, it would’ve required 12. That seems backwards, although I think the accessibility outside the secure zone was, itself, a breach.

What’s the CA/B policy for handling a failure to meet requirements, particularly in such an egregious case? It seems like something that should be on their site; and given that it’s happened before, should be accompanied by some kind of history of additions, breaches, and removals. Maybe it’s buried in e-mail archives or meeting minutes, but I’m not seeing anything obvious.

Rowena • November 17, 2022 6:24 PM

@ lurker,

Does it matter what the policy is if no action is ever taken against violators?

When I wrote “history of … breaches, and removals”, that was my intended subtext. I know stuff like this has happened before, and I recall some “too big to fail” events that made the CA/B look quite toothless. But I was expecting to find some pretense of consequences for failure; maybe some record of them having deleted a CA with no global significance, like Turktrust.

(I don’t recall exactly what happened with Turktrust, DuckDuckGo doesn’t find much, and they’ve got no Wikipedia page. I don’t see it in Firefox’s default list; but with no search feature, only a tiny box in which to view the list, and an unclear sort order, I can’t easily be sure they’re not present.)