Apple Certificates Trust List changes in iOS 8.4 an OS X
List of available trusted root certificates in iOS 8List of available trusted root certificates in OS X Yosemite
Both show Last Modified: Jun 30, 2015, the previous modification was April 9, 2015. I downloaded them and compared a difference with the previous versions. They're big lists, so to make it simple:
The only change affects the CNNIC, China Internet Network Information Center. Two Root Certificates from CNNIC were removed from the Trust Store, and a whitelist of previously issued certificates were added.
Apple says: "An intermediate certificate was incorrectly issued by the certificate authority CNNIC. This issue was addressed through the addition of a mechanism to trust only a subset of certificates issued prior to the mis-issuance of the intermediate."
The CNNIC / MCS incident received substantial coverage, I won't rehash it here but link to the major primary source commentaries.
- Maintaining digital certificate security - Google
- The MCS Incident and Its Consequences for CNNIC - Mozilla (PDF)
- MCS Response to Google Blog - MCS
- Clarification on some media’s claim that “CNNIC has issued certificates for MITM attack” - CNNIC
- Google Chrome will banish Chinese certificate authority for breach of trust - Arstechnica.com
While the CNNIC root certificates are not trusted, Apple added a lot of existing certificates issued by CNNIC before April 1, 2015. Comparing to the actions others, it seems Google (1) is using the "publicly disclosed whitelist" while Mozilla (2) decided to implement a date based approach. Mozilla has a tracking bug for items that CNNIC must address in order to get reinstated.
Removed:
SHA1 Fingerprint: 4F99AA93FB2BD13726A1994ACE7FF005F2935D1E | |||||||
China Internet Network Information Center EV Certificates Root | China Internet Network Information Center EV Certificates Root | RSA | 2048 bits | SHA-1 | 48 9F 00 01 | 07:11:25 Aug 31, 2030 | 1.3.6.1.4.1.29836.1.10 |
SHA1 Fingerprint: 8BAF4C9B1DF02A92F7DA128EB91BACF498604B6F | |||||||
CNNIC ROOT | CNNIC ROOT | RSA | 2048 bits | SHA-1 | 49 33 00 01 | 07:09:14 Apr 16, 2027 | Not EV |
Apple provides more information about the "partial set" of CNNIC issued certificates that are being grandfathered in.
CNNIC EV Certificates Root -> CNNIC EV SSL
Some interesting entries are below. These don't appear to conform to EV baseline requirements (unqualified) unless the hostname is just not printed correctly, or they may not be server authentication certificates. Five are already expired. The unqualified names appear to be be CNNIC internal for PKI operations (RA=Registration Authority, etc).
Certificate Name | Algorithm | Serial Number | Expiration |
aa01 | 1024 bits SHA-1 | 1A 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 DC | 11-2016 |
RASERVER | 2048 bits SHA-1 | 1A 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 7D | 9-2015 |
auth.cnidrz.cn | 2048 bits SHA-1 | 1A 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 C0 | 4-2015 |
www.cnidrz.cn | 2048 bits SHA-1 | 1A 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 C1 | 4-2015 |
www.e-shenhua.com | 2048 bits SHA-1 | 1A 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 BB | 5-2015 |
www.sfn.cn | 2048 bits SHA-1 | 1A 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 C5 | 5-2015 |
www.sudu.cn | 2048 bits SHA-1 | 1A 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 C2 | 4-2015 |
CNNIC Root -> CNNIC SSL
This list has 1429 certificates, 318 of which are expired. I picked out some hosts below that are of interest. I checked a few sites to see if they are reachable, and wasn't able to verify any. I did find a few that are using WoSign certs (www.escience.cn) for example. The addresses in the table below might be CNNIC internal (RA means Registration Authority in a PKI for example).
Certificate Name | Algorithm | Serial Number | Expiration |
218.241.98.161 | 1024 bits SHA-1 | 44 F3 00 01 | 9-2015 |
218.241.98.167 | 1024 bits SHA-256 | 00 92 E0 FA DA E7 0E D8 01 3A 5B C7 9E A0 63 76 F2 | 11-2024 |
61.135.129.80 | 2048 bits SHA-1 | 10 C0 97 CE 7B C9 07 15 B3 4B 95 F7 B1 41 15 C9 | 9-2015 |
61.135.129.88 | 2048 bits SHA-1 | 10 C0 97 CE 7B C9 07 15 B3 4B 95 F7 B1 41 15 CA | 9-2015 |
aa001 | 1024 bits SHA-1 | 1C 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 E0 | 5-2015 |
aa001 | 1024 bits SHA-1 | 10 C0 97 CE 7B C9 07 15 B3 4B 95 F7 B1 41 18 8D | 5-2015 |
aa003 | 1024 bits SHA-1 | 1C 2F DD D9 35 3B 65 EE 1B B4 66 19 4D F3 10 E1 | 5-2015 |
admin | 1024 bits SHA-256 | 00 D4 BA 5D 74 09 B2 E9 8A DF 20 57 D2 3A C8 18 F6 | 12-2015 |
admin | 1024 bits SHA-256 | 5A B1 E6 B4 CA F6 9D 97 CA 8E 61 AC D1 25 D5 19 | 2-2020 |
admin | 1024 bits SHA-1 | 10 C0 97 CE 7B C9 07 15 B3 4B 95 F7 B1 41 18 9F | 6-2016 |
eee | 2048 bits SHA-256 | 00 E5 B6 35 17 43 47 B6 D0 FD 11 14 5B 34 8D 56 22 | 12-2015 |
firstpa | 1024 bits SHA-256 | 00 EF 1E 7B DE 2C D0 20 CC 34 D2 EF 30 EC 8B 9E 60 | 11-2024 |
firstpa | 1024 bits SHA-1 | 44 F3 00 02 | 9-2015 |
ra | 1024 bits SHA-256 | 00 8F B6 2D 47 FE 73 F1 00 EE BA 22 D0 7B 4B 6B 9F | 12-2019 |
ra | 1024 bits SHA-1 | 10 C0 97 CE 7B C9 07 15 B3 4B 95 F7 B1 41 15 5E | 3-2017 |
raadmin | 1024 bits SHA-256 | 79 3E 14 07 1F 0E 08 8C 7F 6D 15 95 2A A3 C8 69 | 12-2015 |
rads | 1024 bits SHA-256 | 25 79 DF 31 EC 34 B4 8D 5F DA 82 AD B6 E2 10 90 | 12-2019 |
radstest | 1024 bits SHA-256 | 00 C7 05 AA 86 67 C1 27 A6 08 8A 09 E3 8E B5 DD F5 | 12-2015 |
sslsecondpa | 1024 bits SHA-1 | 10 C0 97 CE 7B C9 07 15 B3 4B 95 F7 B1 41 14 74 | 7-2015 |
t1 | 2048 bits SHA-256 | 25 D8 B2 5E 3C 7A 78 CD AB 97 06 4F 0C 9C 9B 84 | 12-2015 |
test | 1024 bits SHA-256 | 25 EB 7D 72 B9 C0 47 62 73 22 C8 E7 ED 26 57 A9 | 12-2015 |
test | 2048 bits SHA-256 | 48 98 DF D6 CE 28 ED B9 6A 55 82 65 B2 AD 92 26 | 12-2015 |
test.cnnic.cn | 1024 bits SHA-256 | 00 C3 8B 4C D7 E9 81 FD 71 B5 71 A8 74 65 B6 F1 CE | 12-2015 |
test1 | 1024 bits SHA-256 | 00 C1 DF C2 8A 44 80 44 25 82 62 8C 66 C8 02 31 FD | 12-2015 |
test1.cnnic.cn | 1024 bits SHA-256 | 6C F8 68 07 8F 67 DA 11 F9 30 E7 B2 5D CD 49 9F | 12-2015 |
No comments:
Post a Comment