What the DigiNotar security breach means for Qt users

[Update: Please see also the follow-up post: What the DigiNotar security breach means for Qt users (continued)]

This week saw a lot of news about a security breach at Dutch Certificate Authority DigiNotar. The Internet Storm Center provides a nice overview about the issue.

What happened so far

  • On July 19th, DigiNotar noticed an intrusion to its infrastructure (source). Several false certificates, among them one which could be used for posing as Gmail, were created and signed with one of DigiNotar's intermediate certificates.
  • On August 28th, an Iranian Internet user noticed Google Chrome did not trust the certificate presented by what posed as Gmail (source). The reason Chrome alerted was not that the certificate was invalid (the hackers managed to break into DigiNotar and issue them valid certificates), but that Chrome supports a feature called "certificate pinning": For some domains like mail.google.com, Chrome has a well-known list of root CA certificates built-in that can be the root of the certificate chain for that domain. Since the DigiNotar root certificate was not expected to ever sign a mail.google.com certificate, the browser showed the security warning.
  • On August 29th, the *.google.com certificate was revoked by DigiNotar, which was far too late, because the fraudulent certificate had been used for well over a month by then.
  • The same day, browser vendors decided to remove trust from the whole DigiNotar root certificate, to not trust any certificate that might have been issued during the security breach (Internet Explorer, Firefox, Google Chrome).
  • The next days, several Operating system vendors (including Linux distributions) also removed the DigiNotar root certificate from its stores or are planning to do so (Microsoft, Debian, Suse, Ubuntu).

What this means for Qt

So far, the fake *.google.com certificate has been blacklisted in Qt (4.7, and in the upcoming versions 4.8 and 5.0). However, this is not the only fraudulent certificate in the wild (Google Chrome blacklisted no less than 247), nor is there a comprehensive list of issued certificates at the time of this writing.

If you are using a Qt version >= 4.7.0

Starting with Qt version 4.7.0, Qt is reading the root certificates from the system. This means that if your operating system of choice has released an update removing the DigiNotar certificate, no certificates issued by DigiNotar will be trusted anymore by Qt.

If you are using a Qt version <= 4.6.*

Before 4.7, Qt was shipping its own (quite old) bundle of root certificates. This bundle does not contain the DigiNotar root certificate, so there is no special action that needs to be taken there.

What remains to be seen

Most operating systems have removed the root certificate in question, so one could assume that all is well again. However, to make the issue more interesting, there are intermediate certificates belonging to DigiNotar which have not been signed by the DigiNotar root certificate, but by another Certificate Authority (so-called "cross signing"). Such certificates would not be affected by removing the DigiNotar root certificate from the root store. Apparently all fraudulent certificates have been issued by the same intermediate (Dutch source), but since there is no complete list of issued certificates, there is no clearance about that neither.
It will remain to be seen whether removing the DigiNotar root certificate was enough to solve the whole issue.

Acknowledgements

Thanks to Rich Moore from KDE for cross-reading this post.


Blog Topics:

Comments