{"id":4967,"date":"2017-09-21T15:41:16","date_gmt":"2017-09-21T19:41:16","guid":{"rendered":"https:\/\/www.thesslstore.com\/blog\/?p=4967"},"modified":"2017-09-22T01:04:57","modified_gmt":"2017-09-22T05:04:57","slug":"mozilla-distrusts-procert","status":"publish","type":"post","link":"https:\/\/www.thesslstore.com\/blog\/mozilla-distrusts-procert\/","title":{"rendered":"Mozilla Distrusts PROCERT, Removes it from Root Program"},"content":{"rendered":"

Mozilla alleges PROCERT is not “adequately aware of the requirements placed upon them.”<\/h2>\n

Mozilla has reached a decision to distrust PROCERT and to remove the CA from its root program for a range of issues centering around the mis-issuance of 29 SSL certificates. The decision was laid out in a blog post on Mozilla’s dev.security.policy forum<\/a> earlier today.<\/span><\/p>\n

In the post, Gervase Markham writes:<\/p>\n

Considering [a large number of issues were raised regarding the operations and\u00a0practices of this CA], it seems clear to us that PROCERT have not been, and\u00a0continue not to be, adequately aware of the requirements placed upon them by various RFCs, the CA\/Browser Forum’s Baseline Requirements, and\u00a0Mozilla Root Store Policy. They have not demonstrated sufficient control\u00a0of their issuance pipeline or sufficient checking of the results to\u00a0avoid regularly creating certificates which violate the requirements of\u00a0one or more of those documents. PROCERT have also made assurances to us,\u00a0via responses to CA Communications, that certain things were true which\u00a0are manifestly not so (e.g. that they were using properly-randomized\u00a0serial numbers).<\/p><\/blockquote>\n

Also of concern was PROCERT’s response to the issues raised about its operations and practices, which Mozilla deemed inadequate.<\/p>\n

Here’s How PROCERT Got Here<\/h2>\n

PROCERT is a tiny Venezuelan CA that is government-affiliated and has issued only a few hundred public certificates. We wrote an article last month giving the full details of the seven issues raised by Mozilla on August 16th<\/a>, but I’ll give you the abridged version here.<\/p>\n

So, how did such a small CA get into so much trouble? By practically making their ineptitude look like some bizarre form of performance art. In total PROCERT has mis-issued 29 SSL certificates, it has issued for .local domains, issued for URLs instead of domains, issued for reserved IP numbers, not included common names as SANs in certificates they’ve issued, issued with non-random serial numbers, given “good” OCSP responses for non-existent certificates and issued with a 1024-bit key. Comically, the 1024-bit key was accidentally discovered as PROCERT\u00a0shared it while it ineptly trying to defend itself against another allegation.<\/p>\n

And\u00a0PROCERT\u00a0only dug itself further when, upon subsequent defenses of itself, it argued that “http:\/\/” was allowable (industry standards say it’s not) and then asked if anyone knew the OpenSSL command line to test its OCSP responders.<\/p>\n

Now, I understand that was a dense couple of paragraphs. You might not know what all of that means. That’s OK. What’s not OK was for PROCERT, a trusted CA, not to know. But its lack of knowledge of industry standards, coupled with its response – mistakenly thinking that simple revocation was enough – are what ultimately doomed PROCERT.<\/p>\n

PROCERT’s response to these issues was inadequate. While\u00a0they revoked (most, but not all, of) the certificates which were flagged\u00a0as problematic, their written responses have been limited in number and\u00a0are very superficial. In some cases, it is clear that they have not\u00a0understood the issue that was raised. They have not, to our knowledge,\u00a0performed any root cause analysis which might allow us to have some\u00a0confidence that problems of this or a similar nature will not recur. We\u00a0have very little insight into their systems and what, if any, safeguards\u00a0they have in place.<\/p><\/blockquote>\n

So, that’s it for PROCERT. Its SSL certificates will no longer be trusted as its root has now been removed from Mozilla’s program. While the CA is currently still trusted by Apple and Microsoft, both companies tend to fall in line with the decisions made by Mozilla (as well as Google, which already didn’t trust PROCERT).<\/p>\n

Frankly, this decision isn’t going to affect many people. Its impact will mostly be limited to Venezuela, and only to a handful of public websites. It’s mostly a problem for the Venezuelan government.<\/p>\n

What we Hashed Out (For Skimmers)<\/h2>\n

Here’s what we covered in today’s discussion:<\/p>\n

    \n
  • Venezuelan CA PROCERT has been distrusted by Mozilla and removed from its root program.<\/li>\n
  • A number of issues were raised about the CA’s competence and understanding of industry standards.<\/li>\n
  • PROCERT’s response to these allegations was underwhelming and ultimately led to the decision to distrust the CA.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

    Mozilla alleges PROCERT is not “adequately aware of the requirements placed upon them.” Mozilla has reached a decision to distrust PROCERT and to remove the CA from its root program…<\/p>\n","protected":false},"author":6,"featured_media":4992,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[17],"tags":[164,192,581,467],"class_list":["post-4967","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-industry-lowdown","tag-certificate-authorities","tag-mozilla","tag-ssl-certificate","tag-ssltls","post-with-tags"],"views":8098,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2017\/09\/iStock-693493044.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/4967","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=4967"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/4967\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/4992"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=4967"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=4967"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=4967"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}