Reg : Inquiry Regarding Removal of Certificates with Specific SHA1 Fingerprints

[M THUG]

Dear Mozilla Firefox Team,

I hope this message finds you well.

I am writing to inquire about the removal of the following SSL/TLS certificates from Firefox's trusted certificate store. These certificates are identified by the following SHA1 fingerprints:

SHA1 Fingerprint: ff:bd:cd:e7:82:c8:43:5e:3c:6f:26:86:5c:ca:a8:3a:45:5b:c3:0a SHA1 Fingerprint: b8:be:6d:cb:56:f1:55:b9:63:d4:12:ca:4e:06:34:c7:94:b2:1c SHA1 Fingerprint: 58:d1:df:95:95:67:6b:63:c0:f0:5b:1c:17:4d:8b:84:0b:c8:78 SHA1 Fingerprint: e9:a8:5d:22:14:52:1c:5b:aa:0a:b4:be:24:6a:23:8a:c9:ba:e2 SHA1 Fingerprint: 8a:2f:af:57:53:b1:b0:e6:a1:04:ec:5b:6a:69:71:6d:f6:1c:e2:84 SHA1 Fingerprint: ae:c5:fb:3f:c8:e1:bf:c4:e5:4f:03:07:5a:9a:e8:00:b7:f7:b6 Could you kindly provide clarification as to why these specific certificates were removed? Understanding the rationale behind this decision will help us assess any potential impact on our systems and ensure that we are adhering to the best practices for security.

Thank you in advance for your attention to this matter. I look forward to your response.

Best regards, Vamsi

[Dana Keeler]

> ff:bd:cd:e7:82:c8:43:5e:3c:6f:26:86:5c:ca:a8:3a:45:5b:c3:0a

This appears to be TrustCor RootCert CA-1, and you can find more information about its removal here: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ

> b8:be:6d:cb:56:f1:55:b9:63:d4:12:ca:4e:06:34:c7:94:b2:1c

> 58:d1:df:95:95:67:6b:63:c0:f0:5b:1c:17:4d:8b:84:0b:c8:78

> e9:a8:5d:22:14:52:1c:5b:aa:0a:b4:be:24:6a:23:8a:c9:ba:e2

> ae:c5:fb:3f:c8:e1:bf:c4:e5:4f:03:07:5a:9a:e8:00:b7:f7:b6

I can't find any certificates matching these hashes. They're all too short to be SHA1 hashes, though, so perhaps there was a copy/paste error.

> 8a:2f:af:57:53:b1:b0:e6:a1:04:ec:5b:6a:69:71:6d:f6:1c:e2:84

This appears to be E-Tugra Global Root CA ECC v3, and you can find more information about its removal here: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A/m/qDXcQu-hBAAJ

--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ffb4ca11-594d-486b-8b55-2f95f0c3eef0n%40mozilla.org.

[Aaron Gable]

The certificate with fingerprint ff:bd:cd:e7:82:c8:43:5e:3c:6f:26:86:5c:ca:a8:3a:45:5b:c3:0a (the first one listed) is TrustCor RootCert CA-1. You can see the email announcing Mozilla's decision to remove TrustCor from their trust store here. That email thread also contains most of the discussion and deliberation around why TrustCor was removed, as well as messages from the Microsoft and Chrome root programs announcing similar distrust decisions.

The second fingerprint listed does not correspond to any known certificate, but that is because you have accidentally truncated it by one octet. I believe it was meant to be b8:be:6d:cb:56:f1:55:b9:63:d4:12:ca:4e:06:34:c7:94:b2:1c:c0, in which case it matches TrustCor RootCert CA-2, which was distrusted at the same time as the above.

The same goes for the third fingerprint. It should be 58:d1:df:95:95:67:6b:63:c0:f0:5b:1c:17:4d:8b:84:0b:c8:78:bd, for TrustCor ECA-1, which was also removed at the same time as the above.

The fourth fingerprint (e9:a8:5d:22:14:52:1c:5b:aa:0a:b4:be:24:6a:23:8a:c9:ba:e2) is also one octet short, but I have been unable to identify what certificate it is supposed to match.

The certificate with fingerprint 8a:2f:af:57:53:b1:b0:e6:a1:04:ec:5b:6a:69:71:6d:f6:1c:e2:84 (the fifth one listed) is E-Tugra Global Root CA ECC v3. You can see the email announcing Mozilla's decision to remove E-Tugra from their trust store here.

The sixth fingerprint is also missing its final octet. It should be e9:a8:5d:22:14:52:1c:5b:aa:0a:b4:be:24:6a:23:8a:c9:ba:e2:a9 to match E-Tugra Global Root CA RSA v3, which was removed from the trust store at the same time as the one above.

Aaron

On Mon, Nov 18, 2024 at 8:41 AM M THUG <thugs...@gmail.com> wrote:

--

[Matthew McPherrin]

> The fourth fingerprint (e9:a8:5d:22:14:52:1c:5b:aa:0a:b4:be:24:6a:23:8a:c9:ba:e2) is also one octet short, but I have been unable to identify what certificate it is supposed to match.

I think this should be E9:A8:5D:22:14:52:1C:5B:AA:0A:B4:BE:24:6A:23:8A:C9:BA:E2:A9 - E-Tugra Global Root CA RSA v3

https://crt.sh/?q=E9%3AA8%3A5D%3A22%3A14%3A52%3A1C%3A5B%3AAA%3A0A%3AB4%3ABE%3A24%3A6A%3A23%3A8A%3AC9%3ABA%3AE2%3AA9

To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErcrE5Fbd%2BSVA9-WTCPYQmgQV4sisMsKtBVOa-XN_%3DJYyw%40mail.gmail.com.

[Aaron Gable]

Ah sorry, I switched the fourth and sixth fingerprints. The sixth one (ae:c5:fb:3f:c8:e1:bf:c4:e5:4f:03:07:5a:9a:e8:00:b7:f7:b6:??) is unidentified.

[Matthew McPherrin]

Ah, that's Autoridad de Certificacion Firmaprofesional CIF A62634068

AEC5FB3FC8E1BFC4E54F03075A9AE800B7F7B6FA

https://crt.sh/?q=AE%3AC5%3AFB%3A3F%3AC8%3AE1%3ABF%3AC4%3AE5%3A4F%3A03%3A07%3A5A%3A9A%3AE8%3A00%3AB7%3AF7%3AB6%3AFA

[Dana Keeler]

Note that that certificate was not removed from NSS, but rather had its trust bits edited so that it is only trusted for TLS server authentication: https://bugzilla.mozilla.org/show_bug.cgi?id=1851044#c0

To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKh5S0bcFpLg4ajekjdP7LFquWX-mftmMi%2BZ05LZJJ0VCYPE0g%40mail.gmail.com.