Ubuntu
firefox-3.5 package

"MD5 Collisions Inc." (expried) fake SSL certificate is installed as standard

Bug #482751 reported by Andrew Rendle
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
firefox-3.5 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: firefox-3.5

I have noticed that there is an SSL CA certificate for "MD5 Collisions Inc. (http://www.phreedom.org/md5)" installed as standard in Firefox 3.5. Visiting the URL in the name tells us that the certificate was created as a proof-of-concept for an attack on SSL using MD5 hash collisions, so I was somewhat surprised to see it included as a trusted CA certificate.

OK, so the validity dates in the certificate (31 July 2004 - 2 Sept 2004) and the fact that it was created as a proof-of-concept mean that it is implausible that it could be used (and so I'm not marking this as a security vulnerability,) but it's inclusion seems rather odd.

ProblemType: Bug
Architecture: i386
Date: Sat Nov 14 18:08:05 2009
DistroRelease: Ubuntu 9.10
Package: firefox-3.5 3.5.5+nobinonly-0ubuntu0.9.10.1
ProcEnviron:
 LANGUAGE=en_GB.UTF-8
 PATH=(custom, no user)
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-14.48-generic
SourcePackage: firefox-3.5
Uname: Linux 2.6.31-14-generic i686

Revision history for this message
Andrew Rendle (andrew-andrewr) wrote :
Revision history for this message
WeatherGod (ben-v-root) wrote :

Andrew, myself and others have looked for this certificate in various versions of firefox and cannot find it. Is it possible that it may be leftover from a much older version of firefox or that you have forgotten that you accepted this certificate at some point?

Changed in firefox-3.5 (Ubuntu):
status: New → Invalid
Revision history for this message
Andrew Rendle (andrew-andrewr) wrote :

I'm seeing this on two computers of mine. On one of them, I've done a clean re-install of Firefox (uninstalled via Synaptic's "Complete Removal" option and then reinstalled) and removed the existing FF profile ($mv /home/andrew/.mozilla/ /home/andrew/.mozilla-old/), and on the first run of Firefox I still see the cert listed alongside the Equifax ones, as in the attached screenshot.

Revision history for this message
WeatherGod (ben-v-root) wrote :

And right you are, Andrew! I apologize. I wasn't looking for it under Equifax's entry, so I missed it.

I can confirm it for both Firefox 3.0.15 and Shiretoko in Jaunty.

Changed in firefox-3.5 (Ubuntu):
status: Invalid → Confirmed
Revision history for this message
Justin Dolske (justin-dolske) wrote :

This is expected, the cert was added to the default list of NSS CA with all trust bits disabled, to ensure the rogue certificate that was generated is never usable.

See https://bugzilla.mozilla.org/show_bug.cgi?id=471715

Revision history for this message
Till Ulen (tillulen) wrote :

As previously said, this is a security feature. If the current date on your computer is set to September 2, 2004 or before, a man-in-the-middle attacker who can control your network connection would be able to spoof any SSL site on the Internet using the MD5 Collisions Inc. certificate. This feature ensures Firefox never trusts the rogue certificate, even if the computer's clock is wrong.

Changed in firefox-3.5 (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.