| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-id: <4BA7AA60.9090408@noaa.gov>
Date: Mon, 22 Mar 2010 13:35:28 -0400
From: Mike Duncan <Mike.Duncan@...a.gov>
To: Francis Litterio <flitterio@...il.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Firefox 3.6 for Windows includes a forged CA cert
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Good question. Confirmed on Linux version as well (Mozilla/5.0 (X11; U;
Linux i686; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6). More
information about the rogue-CA can be found here:
http://www.phreedom.org/research/rogue-ca/.
# openssl x509 -in MD5CollisionsInc.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 66 (0x42)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global
eBusiness CA-1
Validity
Not Before: Jul 31 00:00:01 2004 GMT
Not After : Sep 2 00:00:01 2004 GMT
Subject: CN=MD5 Collisions Inc. (http://www.phreedom.org/md5)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ba:a6:59:c9:2c:28:d6:2a:b0:f8:ed:9f:46:a4:
a4:37:ee:0e:19:68:59:d1:b3:03:99:51:d6:16:9a:
5e:37:6b:15:e0:0e:4b:f5:84:64:f8:a3:db:41:6f:
35:d5:9b:15:1f:db:c4:38:52:70:81:97:5e:8f:a0:
b5:f7:7e:39:f0:32:ac:1e:ad:44:d2:b3:fa:48:c3:
ce:91:9b:ec:f4:9c:7c:e1:5a:f5:c8:37:6b:9a:83:
de:e7:ca:20:97:31:42:73:15:91:68:f4:88:af:f9:
28:28:c5:e9:0f:73:b0:17:4b:13:4c:99:75:d0:44:
e6:7e:08:6c:1a:f2:4f:1b:41
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Non Repudiation, Certificate Sign,
CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
A7:04:60:1F:AB:72:43:08:C5:7F:08:90:55:56:1C:D6:CE:E6:38:EB
X509v3 Authority Key Identifier:
keyid:BE:A8:A0:74:72:50:6B:44:B7:C9:23:D8:FB:A8:FF:B3:57:6B:68:6C
Netscape Comment:
3
Signature Algorithm: md5WithRSAEncryption
a7:21:02:8d:d1:0e:a2:80:77:25:fd:43:60:15:8f:ec:ef:90:
47:d4:84:42:15:26:11:1c:cd:c2:3c:10:29:a9:b6:df:ab:57:
75:91:da:e5:2b:b3:90:45:1c:30:63:56:3f:8a:d9:50:fa:ed:
58:6c:c0:65:ac:66:57:de:1c:c6:76:3b:f5:00:0e:8e:45:ce:
7f:4c:90:ec:2b:c6:cd:b3:b4:8f:62:d0:fe:b7:c5:26:72:44:
ed:f6:98:5b:ae:cb:d1:95:f5:da:08:be:68:46:b1:75:c8:ec:
1d:8f:1e:7a:94:f1:aa:53:78:a2:45:ae:54:ea:d1:9e:74:c8:
76:67
Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center
On 03/19/2010 04:22 PM, Francis Litterio wrote:
> In Firefox 3.6 for Windows, go to Tools -> Options -> Advanced -> Encryption ->
> View Certificates -> Authorities and scroll down to the entry for "Equifax
> Secure Inc." and you'll see a cert labeled "MD5 Collisions Inc
> (http://www.phreedom.org/md5)" grouped with the other Equifax certs.
>
> Yes, it's expired, so it poses no real threat, but why is the Mozilla Project
> shipping Firefox with that cert? It just causes FUD.
> --
> Fran
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkunqlwACgkQnvIkv6fg9hZ9xgCeN2pHJd7cR/K0XoLAI4MKSR7P
6TsAn2gJ5czYDikEK25OcVsZngS/lGIN
=xb7R
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists