Морской конек показывает несколько подозрительных (нулевых) «личных сертификатов»

Было трудно найти объяснение с помощью поисковой системы, поэтому я спрашиваю и отвечаю здесь.

Seahorse, связка ключей Gnome и диспетчер ключей показывают несколько подозрительных сертификатов с пустыми полями на вкладке «Доверие по умолчанию», когда включено «Показать все»:

enter image description here

Непонятно, откуда они, что они и как иди туда. Представляют ли они угрозу безопасности? Меня взломали?

задан 14 August 2020 в 13:56

1 ответ

There's an issue #299 for this on the Seahorse issue tracker.

TL;DR: these are distrusted certs marked as such for your protection in your distro's list of root CA's. Seahorse doesn't handle those well. It's a cosmetic problem, not a security one.

Long Version

Over the years, there have multiple incidents in which CA certs have been abused (hacked, used irresponsibly, etc'). Since your browser trusts any cert issued by these CAs, these are very serious compromised in terms of security.

In order to protect you from MiTM attack, these certs are included in your distro's list of certificates and explicitly marked as blacklisted/rejected/invalid.

Most distros source the list from the one maintained by Mozilla upstream as part of the nss project.

One example of such a bad cert is the cert(s) issues as part of the Trustwave controversy. Here's the Mozilla issue marking these certs untrusted.

If you look at the mozilla file, you'll see there's an entry called "MITM subCA 1 issued by Trustwave", and it is marked as untrusted.

This and several others example show up as (null) in seahorse because they include enough information for disregarding them, but does not include the actual CA certificate. So, seahorse display them in this strange way.

The 7 entries which correspond to the null certificates are:

  • "MITM subCA 1 issued by Trustwave"
  • "MITM subCA 2 issued by Trustwave"
  • "TURKTRUST Mis-issued Intermediate CA 1"
  • "TURKTRUST Mis-issued Intermediate CA 2"
  • "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 1/3)"
  • "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 2/3)"
  • "Distrust: O=Egypt Trust, OU=VeriSign Trust Network (cert 3/3)"

You can use your favorite search engine to find out more about the stories behind these (also, DigiNotar and Comodo) and to learn how badly broken the CA trust system actually is.

On Fedora the CA cert list (derived from the mozilla file) lives at /usr/share/pki/ca-trust-source/ca-bundle.trust.p11-kit).

I've tried reporting this to the seahorse developers on their Gitlab, but gave up after 16 captchas, 30 minutes, and one insta-block.


ответ дан 21 August 2020 в 07:59

Другие вопросы по тегам:

Похожие вопросы: