[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Fwd: [guardian-alpha] CACertMan app to address DigiNotar & others



fyi

-------- Original Message --------
Subject: [guardian-alpha] CACertMan app to address DigiNotar & others
Date: Sun, 04 Sep 2011 23:06:46 -0400
From: Nathan of Guardian <nathan@xxxxxxxxxxxxxxxxxxxx>
Organization: The Guardian Project
To: guardian-dev <guardian-dev@xxxxxxxxxxxxxxxxxx>,
guardian-alpha@xxxxxxxxxxxxxxxxxx


As I expect many of you are aware, there was a major compromise to a
Dutch Certificate Authority named "DigiNotar" recently, where they
allowed SSL certs for domains like *.google.com, *.torproject.org and
even *.cia.gov as well as *.*.com to be issued.

It was brought up to the contribs of CyanogenMOD that they should
probably remove the DigiNotar CA cert from the built-in Android OS
keystore (located at /system/etc/security/cacerts.bks). Since they have
500k+ users, and can be more nimble than other ROM/device distributors,
it was seen as a way to quickly address the problem, at least within
their community. It turns out that it wasn't as easy to convince them to
do this (even though Mozilla, Google Chrome, IE, etc already had). You
can read the thread, but it is still an open issue:
http://code.google.com/p/cyanogenmod/issues/detail?id=4260

In the meantime, I decided to do something proactive about this, and
took two approaches:

1) Create our own curated cacerts.bks file which rooted users could
install using 'adb' from their desktop and/or the 'Root Explorer' app
available in the market and elsewhere. Our version of the CACert file
removes DigiNotar, as well as CNNIC, a Chinese gov't-managed cert
authority who we have reason not to trust. Our goal is to continue to
audit, update and distribute our own cacerts file for users who trust us.

Install info:
https://raw.github.com/guardianproject/cacert/master/INSTALLATION
Guardian's CACert:
https://github.com/downloads/guardianproject/cacert/cacerts.bks

2) We also wanted to create an app that let the user decided which certs
they wanted available, and which they didn't. Beyond this one CA
problem, there are potentially many more, and every handset manufacturer
or carrier can also place their own CA certs into the system. We need an
app to address today's and future CA threats.

I have been hacking away on a solution to address this, and an initial
test release is available for you. 'CACertMan' is a simple app that
loads up the system cacert store, allows you to back it up, search for
certs, delete them, and then save it back to the system. You can always
restore from your initial backup, as well. In the future we may allow
for a cert to just be disabled, but for now it is delete and/or restore.

Here is the first alpha build for testing. This does require root, as
well as a device that has the 'grep' command on it. This is basically
CyanogenMOD, but most likely any other custom ROM. If the 'save' doesn't
work, then you will need to use 'RootExplorer' to make you /system
parition read-write.

https://github.com/guardianproject/cacert/CACertMan-0.0.1-alpha.apk/qr_code

You can find the source project here:
https://github.com/guardianproject/cacert

Once we get confirmation that the app works for most people, we'll place
it in the market, and on or site for wider distribution.

Through these two approaches, we hope to mitigate the threats facing
Android users who might encounter man-in-the-middle attacks enabled
through the DigiNotar exploit. While many of you are presumably in
"free" countries, we do know that may of our users of Orbot, Gibberbot
and other software are not, and we hope this message can reach them.

Best,
  n8fr8

_______________________________________________
Guardian-alpha mailing list

Post: Guardian-alpha@xxxxxxxxxxxxxxxxxx
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-alpha

To Unsubscribe
        Send email to:  Guardian-alpha-unsubscribe@xxxxxxxxxxxxxxxxxx
        Or visit: %(user_optionsurl)s

You are subscribed as: %(user_address)s
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk