Mozilla Distrusts PROCERT, Removes it from Root Program
Mozilla alleges PROCERT is not “adequately aware of the requirements placed upon them.”
Mozilla has reached a decision to distrust PROCERT and to remove the CA from its root program for a range of issues centering around the mis-issuance of 29 SSL certificates. The decision was laid out in a blog post on Mozilla’s dev.security.policy forum earlier today.
In the post, Gervase Markham writes:
Considering [a large number of issues were raised regarding the operations and practices of this CA], it seems clear to us that PROCERT have not been, and continue not to be, adequately aware of the requirements placed upon them by various RFCs, the CA/Browser Forum’s Baseline Requirements, and Mozilla Root Store Policy. They have not demonstrated sufficient control of their issuance pipeline or sufficient checking of the results to avoid regularly creating certificates which violate the requirements of one or more of those documents. PROCERT have also made assurances to us, via responses to CA Communications, that certain things were true which are manifestly not so (e.g. that they were using properly-randomized serial numbers).
Also of concern was PROCERT’s response to the issues raised about its operations and practices, which Mozilla deemed inadequate.
Here’s How PROCERT Got Here
PROCERT is a tiny Venezuelan CA that is government-affiliated and has issued only a few hundred public certificates. We wrote an article last month giving the full details of the seven issues raised by Mozilla on August 16th, but I’ll give you the abridged version here.
So, how did such a small CA get into so much trouble? By practically making their ineptitude look like some bizarre form of performance art. In total PROCERT has mis-issued 29 SSL certificates, it has issued for .local domains, issued for URLs instead of domains, issued for reserved IP numbers, not included common names as SANs in certificates they’ve issued, issued with non-random serial numbers, given “good” OCSP responses for non-existent certificates and issued with a 1024-bit key. Comically, the 1024-bit key was accidentally discovered as PROCERT shared it while it ineptly trying to defend itself against another allegation.
And PROCERT only dug itself further when, upon subsequent defenses of itself, it argued that “http://” was allowable (industry standards say it’s not) and then asked if anyone knew the OpenSSL command line to test its OCSP responders.
Now, I understand that was a dense couple of paragraphs. You might not know what all of that means. That’s OK. What’s not OK was for PROCERT, a trusted CA, not to know. But its lack of knowledge of industry standards, coupled with its response – mistakenly thinking that simple revocation was enough – are what ultimately doomed PROCERT.
PROCERT’s response to these issues was inadequate. While they revoked (most, but not all, of) the certificates which were flagged as problematic, their written responses have been limited in number and are very superficial. In some cases, it is clear that they have not understood the issue that was raised. They have not, to our knowledge, performed any root cause analysis which might allow us to have some confidence that problems of this or a similar nature will not recur. We have very little insight into their systems and what, if any, safeguards they have in place.
So, that’s it for PROCERT. Its SSL certificates will no longer be trusted as its root has now been removed from Mozilla’s program. While the CA is currently still trusted by Apple and Microsoft, both companies tend to fall in line with the decisions made by Mozilla (as well as Google, which already didn’t trust PROCERT).
Frankly, this decision isn’t going to affect many people. Its impact will mostly be limited to Venezuela, and only to a handful of public websites. It’s mostly a problem for the Venezuelan government.
What we Hashed Out (For Skimmers)
Here’s what we covered in today’s discussion:
- Venezuelan CA PROCERT has been distrusted by Mozilla and removed from its root program.
- A number of issues were raised about the CA’s competence and understanding of industry standards.
- PROCERT’s response to these allegations was underwhelming and ultimately led to the decision to distrust the CA.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown