Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Firefox 3.6 for Windows includes a forged CA cert
From: Mike Duncan <Mike.Duncan () noaa gov>
Date: Mon, 22 Mar 2010 13:35:28 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Good question. Confirmed on Linux version as well (Mozilla/5.0 (X11; U;
Linux i686; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6). More
information about the rogue-CA can be found here:
http://www.phreedom.org/research/rogue-ca/.

# openssl x509 -in MD5CollisionsInc.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 66 (0x42)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, O=Equifax Secure Inc., CN=Equifax Secure Global
eBusiness CA-1
        Validity
            Not Before: Jul 31 00:00:01 2004 GMT
            Not After : Sep  2 00:00:01 2004 GMT
        Subject: CN=MD5 Collisions Inc. (http://www.phreedom.org/md5)
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:ba:a6:59:c9:2c:28:d6:2a:b0:f8:ed:9f:46:a4:
                    a4:37:ee:0e:19:68:59:d1:b3:03:99:51:d6:16:9a:
                    5e:37:6b:15:e0:0e:4b:f5:84:64:f8:a3:db:41:6f:
                    35:d5:9b:15:1f:db:c4:38:52:70:81:97:5e:8f:a0:
                    b5:f7:7e:39:f0:32:ac:1e:ad:44:d2:b3:fa:48:c3:
                    ce:91:9b:ec:f4:9c:7c:e1:5a:f5:c8:37:6b:9a:83:
                    de:e7:ca:20:97:31:42:73:15:91:68:f4:88:af:f9:
                    28:28:c5:e9:0f:73:b0:17:4b:13:4c:99:75:d0:44:
                    e6:7e:08:6c:1a:f2:4f:1b:41
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Certificate Sign,
CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Subject Key Identifier:
                A7:04:60:1F:AB:72:43:08:C5:7F:08:90:55:56:1C:D6:CE:E6:38:EB
            X509v3 Authority Key Identifier:

keyid:BE:A8:A0:74:72:50:6B:44:B7:C9:23:D8:FB:A8:FF:B3:57:6B:68:6C

            Netscape Comment:
                3
    Signature Algorithm: md5WithRSAEncryption
        a7:21:02:8d:d1:0e:a2:80:77:25:fd:43:60:15:8f:ec:ef:90:
        47:d4:84:42:15:26:11:1c:cd:c2:3c:10:29:a9:b6:df:ab:57:
        75:91:da:e5:2b:b3:90:45:1c:30:63:56:3f:8a:d9:50:fa:ed:
        58:6c:c0:65:ac:66:57:de:1c:c6:76:3b:f5:00:0e:8e:45:ce:
        7f:4c:90:ec:2b:c6:cd:b3:b4:8f:62:d0:fe:b7:c5:26:72:44:
        ed:f6:98:5b:ae:cb:d1:95:f5:da:08:be:68:46:b1:75:c8:ec:
        1d:8f:1e:7a:94:f1:aa:53:78:a2:45:ae:54:ea:d1:9e:74:c8:
        76:67



Mike Duncan
ISSO, Application Security Specialist
Government Contractor with STG, Inc.
NOAA :: National Climatic Data Center


On 03/19/2010 04:22 PM, Francis Litterio wrote:
In Firefox 3.6 for Windows, go to Tools -> Options -> Advanced -> Encryption ->
View Certificates -> Authorities and scroll down to the entry for "Equifax
Secure Inc." and you'll see a cert labeled "MD5 Collisions Inc
(http://www.phreedom.org/md5)" grouped with the other Equifax certs.

Yes, it's expired, so it poses no real threat, but why is the Mozilla Project
shipping Firefox with that cert?  It just causes FUD.
--
Fran


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkunqlwACgkQnvIkv6fg9hZ9xgCeN2pHJd7cR/K0XoLAI4MKSR7P
6TsAn2gJ5czYDikEK25OcVsZngS/lGIN
=xb7R
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault