SSL Bump Certificate Blacklist

From: Fabian Hugelshofer <fh_at_open.ch>
Date: Thu, 15 Sep 2011 17:17:16 +0200

Hi all,

You probably all have heard about the compromise of the DigiNotar CA
[1]. This CA operated as intermediate certificate authority in several
trust chains. One of this chains is the "Staat der Nederlanden Root CA".
This CA has not revoked the DigiNotar intermediate CAs until today.

Popular Browsers (at least Mozilla, IE, Chrome) have implemented
blacklists that block certificates that are known to be fraudulent or
are signed by a compromised CA. Chrome blocks certain serial numbers of
server certificates and certain hashes of CA certificates [2]. QT blocks
certain combinations of serial numbers and common names [3]

As I understand it is currently not possible to protect users of Squid
with SSL bump from certificates that have been issued by the DigiNotar
intermediate CA in the Staat der Nederlanden hierarchy (as long as this
root is not removed from the list of trusted CAs).

Are there already plans to implement similar blacklists or ACLs in Squid
similar to what most browsers did?

How would you implement such a blacklist? Would you introduce a new ACL
that can be used to black- or possibly whitelist certain certificates?

What would you use to identify the certificates?
- Serial number?
- Serial number and common name?
- Serial number and issuer?
- Fingerprint (might not be available in each case)?

Thanks you for your input.

Best regards,

Fabian

PS: I am not subscribed to the list. Please include me as CC in your reply.

[1]
http://blog.mozilla.com/security/2011/08/29/fraudulent-google-com-certificate/
[2]
http://src.chromium.org/viewvc/chrome/trunk/src/net/base/x509_certificate.cc?revision=99534&view=markup
[3]
http://qt.nokia.com/files/qt-patches/blacklist-diginotar-and-comodo-certs.diff
Received on Thu Sep 15 2011 - 15:17:21 MDT

This archive was generated by hypermail 2.2.0 : Thu Sep 15 2011 - 12:00:05 MDT