Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 6 users
Status: Verified
Owner:
Closed: Dec 2011
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 1
Type: Bug

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Warn about certificates signed with MD5, remove support for MD2/MD4
Project Member Reported by rsleevi@chromium.org, Oct 21 2011 Back to list
http://dev.chromium.org/developers/md5-certificate-statistics was last updated in 2009 and indicates plans and options to move towards deprecating support for certificates (intermediates and roots).

Histograms to measure this were added back in http://crrev.com/8070 and are still active.

Apple has moved to disallow MD5 support, on iOS at least ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3427 / http://support.apple.com/kb/HT4999 )

Is it now an acceptable time for Chromium to implement a cross-platform blacklist for such certificates?

Currently, the metrics for reporting has_md5 are skewed, in that they are not reported on OS X (x509_certificate_mac or ssl_client_socket_mac ). However, neither individual connection metrics ( UpdateConnectionTypeHistograms(CONNECTION_SSL); ), so this may be a non-issue.
 
Comment 1 by wtc@chromium.org, Oct 21 2011
We can set the CERT_STATUS_WEAK_SIGNATURE_ALGORITHM bit
for MD5 certificates in the Canary build and see what
happens.

I don't remember how our UI handles
CERT_STATUS_WEAK_SIGNATURE_ALGORITHM.
The Windows code (but only the Windows code) currently sets CERT_STATUS_WEAK_SIGNATURE_ALGORITHM for MD4 and MD2 certificates. 

Such errors are treated as user-overridable. They are presented with the SSL Error interstitial with the strings IDS_CERT_ERROR_WEAK_SIGNATURE_ALGORITHM_[TITLE, DETAILS, DESCRIPTION, EXTRA_INFO_2], which in English are


The site's security certificate is signed using a weak signature algorithm!

You attempted to reach <ph name="DOMAIN">&lt;strong&gt;$1<ex>paypal.com</ex>&lt;/strong&gt;</ph>, but the server presented a certificate signed using a weak signature algorithm. This means that the security credentials the server presented could have been forged, and the server may not be the server you expected (you may be communicating with an attacker). You should not proceed.

In this case, the server certificate or an intermediate CA certificate presented to your browser is signed using a weak signature algorithm such as RSA-MD2. Recent research by computer scientists showed the signature algorithm is weaker than previously believed, and the signature algorithm is rarely used by trustworthy websites today. This certificate could have been forged. You should not proceed past this point.

Server's certificate is signed using a weak signature algorithm.



Along with the UMA metrics, I suspect data from the SSL observatory could also be mined to know how many this might affect. Unfortunately, such mining would probably not take into consideration the myriad cross-signed intermediates/roots that were rolled over to SHA-1. Since every analysis I've seen so far just looks at the raw data, rather than assuming a 3280/5280 compliant path building algorithm ala CryptoAPI/NSS, such analysis may report more predicted failures than would actually be seen in the wild.
Comment 3 by palmer@chromium.org, Oct 21 2011
Labels: -Pri-2 Pri-1
Owner: palmer@chromium.org
Status: Assigned
From the Observatory (this is a December 2010 dataset, IIRC; the number of live MD5 certs should be LOWER now):

mysql> select distinct `Signature Algorithm` from valid_certs;
+--------------------------+
| Signature Algorithm      |
+--------------------------+
|  sha1WithRSAEncryption   |
|  md5WithRSAEncryption    |
|  md2WithRSAEncryption    |
|  sha1WithRSA             |
|  sha256WithRSAEncryption |
|  sha512WithRSAEncryption |
+--------------------------+
6 rows in set (34.37 sec)

mysql> select count(*) from valid_certs where `Signature Algorithm` = ' md2WithRSAEncryption';
+----------+
| count(*) |
+----------+
|        4 |
+----------+
1 row in set (3.22 sec)

mysql> select count(*) from valid_certs where `Signature Algorithm` = ' md4WithRSAEncryption';
+----------+
| count(*) |
+----------+
|        0 |
+----------+
1 row in set (3.22 sec)

mysql> select count(*) from valid_certs where `Signature Algorithm` = ' md5WithRSAEncryption';
+----------+
| count(*) |
+----------+
|    13942 |
+----------+
1 row in set (3.22 sec)

mysql> select count(*) from valid_certs;
+----------+
| count(*) |
+----------+
|  1455391 |
+----------+
1 row in set (0.00 sec)

So, disabling MD5WithRSAEncryption would have broken < 1% of the web late last year. It's a lower percentage now, unless some profligate CA is still using MD5 for new certificates. (But I actually don't think anyone's still using MD5WithRSA.)

Obviously, the case for banning MD[24] is clear. No interstitial required. If you want, we can alert the 1% of MD5-having sites that Chrome won't support them much longer. We tried this with other vulnerable certificate patterns (e.g. Debian weak keys), but did not get many responses and did not observe many fixed sites in the second Observatory run. Although we weren't from a major browser telling them their site would stop working, either...

In any case, our policy, whatever it is, must be consistent across platforms and across known-weak algorithms. So the fact that the current interstitial-on-MD[25] policy is Windows-only and does not include MD5 is a bug. Bumping this up to P1 for that reason; shout me down or assign the bug to me if you disagree. :) In fact, I'll just take it.

My ideal policy is to stop supporting MD[245]WithRSA outright. By the time it got into a release (R17?), even fewer sites would be affected. But at least we should interstitial on Linux and Mac.

I could be convinced to interstitial on MD5 and ban MD[24], in a pinch. But it's better to just ban all known-weak.
palmer: I already started hacking together the cross-platform bits to at least capture the information, based on our conversation yesterday. I should have a CL up this weekend, if you're not actively working on it.
Comment 5 by palmer@chromium.org, Oct 21 2011
Owner: rsleevi@chromium.org
Oh, ok. Carry on then! Take it as far as you like, and I'll pick it up if there's anything left to do after that.
Comment 6 by wtc@chromium.org, Oct 21 2011
It is fine to make MD2 and MD4 certificates fatal errors, and MD5 certificates
an overridable error.

rsleevi: the new way to ensure cross-platform consistency is to move the code
from X509Certificate::VerifyInternal to X509Certificate::Verify.
wtc: I agree - but we're still only capturing has_md[245] on NSS & Win (x509_certificate_blah), so there is still cross-platform work to capture the signature information for OS X and OpenSSL. That's the primary cross-platform work I was referring to.
Project Member Comment 8 by bugdroid1@chromium.org, Nov 1 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=108074

------------------------------------------------------------------------
r108074 | rsleevi@chromium.org | Mon Oct 31 22:13:21 PDT 2011

Changed paths:
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/data/ssl/certificates/weak_digest_sha1_root.pem?r1=108074&r2=108073&pathrev=108074
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/data/ssl/certificates/weak_digest_md5_ee.pem?r1=108074&r2=108073&pathrev=108074
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/data/ssl/certificates/weak_digest_md4_ee.pem?r1=108074&r2=108073&pathrev=108074
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/data/ssl/certificates/weak_digest_md5_root.pem?r1=108074&r2=108073&pathrev=108074
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/data/ssl/certificates/weak_digest_md2_ee.pem?r1=108074&r2=108073&pathrev=108074
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/data/ssl/certificates/weak_digest_md4_root.pem?r1=108074&r2=108073&pathrev=108074
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/data/ssl/certificates/weak_digest_md2_root.pem?r1=108074&r2=108073&pathrev=108074
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/data/ssl/certificates/weak_digest_sha1_intermediate.pem?r1=108074&r2=108073&pathrev=108074
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/data/ssl/certificates/weak_digest_md5_intermediate.pem?r1=108074&r2=108073&pathrev=108074
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/data/ssl/certificates/weak_digest_md4_intermediate.pem?r1=108074&r2=108073&pathrev=108074
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/data/ssl/certificates/weak_digest_md2_intermediate.pem?r1=108074&r2=108073&pathrev=108074
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate_unittest.cc?r1=108074&r2=108073&pathrev=108074
 A http://src.chromium.org/viewvc/chrome/trunk/src/net/data/ssl/certificates/weak_digest_sha1_ee.pem?r1=108074&r2=108073&pathrev=108074

Add unittests for the detection of md[2,4,5] when verifying certificates

BUG= 101123 
TEST=net_unittests:X509CertificateWeakDigestTest.*


Review URL: http://codereview.chromium.org/8391036
------------------------------------------------------------------------
Project Member Comment 9 by bugdroid1@chromium.org, Nov 1 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=108082

------------------------------------------------------------------------
r108082 | rsleevi@chromium.org | Tue Nov 01 02:10:08 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate_win.cc?r1=108082&r2=108081&pathrev=108082
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate_unittest.cc?r1=108082&r2=108081&pathrev=108082

Consider the signature algorithms of incomplete chains on Windows

R=wtc@chromium.org
BUG= 101123 



Review URL: http://codereview.chromium.org/8382026
------------------------------------------------------------------------
Project Member Comment 10 by bugdroid1@chromium.org, Nov 2 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=108308

------------------------------------------------------------------------
r108308 | rsleevi@chromium.org | Wed Nov 02 10:09:25 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate_mac.cc?r1=108308&r2=108307&pathrev=108308
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate_win.cc?r1=108308&r2=108307&pathrev=108308
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate_unittest.cc?r1=108308&r2=108307&pathrev=108308

Record when certificates signed with md[2,4,5] are encountered on OS X.

R=wtc@chromium.org
BUG= 101123 



Review URL: http://codereview.chromium.org/8374019
------------------------------------------------------------------------
Project Member Comment 11 by bugdroid1@chromium.org, Nov 3 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=108425

------------------------------------------------------------------------
r108425 | rsleevi@chromium.org | Wed Nov 02 20:44:29 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate_openssl.cc?r1=108425&r2=108424&pathrev=108425
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate_unittest.cc?r1=108425&r2=108424&pathrev=108425

Record when certificates signed with md[2,4,5] are encountered when using OpenSSL

R=joth@chromium.org
BUG= 101123 



Review URL: http://codereview.chromium.org/8368015
------------------------------------------------------------------------
Labels: OS-All Mstone-17
Summary: Warn about certificates signed with MD5, remove support for MD2/MD4 (was: NULL)
Project Member Comment 14 by bugdroid1@chromium.org, Dec 14 2011
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=114432

------------------------------------------------------------------------
r114432 | rsleevi@chromium.org | Wed Dec 14 08:08:19 PST 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate.cc?r1=114432&r2=114431&pathrev=114432
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate_win.cc?r1=114432&r2=114431&pathrev=114432
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate_unittest.cc?r1=114432&r2=114431&pathrev=114432

When encountering certificates signed with md2/md4, make it a fatal error.

When encountering certificates signed with md5, interstitial the page with an error about md5 being a weak signing algorithm.

This excludes checking the signatures of root certificates (trust anchors), as their self-signed signatures are not relevant to the security of the chain.

R=wtc@chromium.org
BUG= 101123 

Review URL: http://codereview.chromium.org/8374020
------------------------------------------------------------------------
Labels: -Mstone-17 Mstone-18
Status: Verified
I'm going to mark this fixed. While there have been reports of it breaking sites (  Issue 107845  ), some "breakage" is expected and thus is not a strict sign of needing to revert this. Since the whole purpose is to warn uses about MD5 certificates, some interstitials are expected, as a means of evangelization.
Project Member Comment 16 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 17 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-Internals -Internals-Network-SSL -Mstone-18 Cr-Internals-Network-SSL M-18 Cr-Internals
Project Member Comment 18 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Sign in to add a comment