[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Fwd: [guardian-alpha] CACertMan app to address DigiNotar & others


-------- Original Message --------
Subject: [guardian-alpha] CACertMan app to address DigiNotar & others
Date: Sun, 04 Sep 2011 23:06:46 -0400
From: Nathan of Guardian <nathan@xxxxxxxxxxxxxxxxxxxx>
Organization: The Guardian Project
To: guardian-dev <guardian-dev@xxxxxxxxxxxxxxxxxx>,

As I expect many of you are aware, there was a major compromise to a
Dutch Certificate Authority named "DigiNotar" recently, where they
allowed SSL certs for domains like *.google.com, *.torproject.org and
even *.cia.gov as well as *.*.com to be issued.

It was brought up to the contribs of CyanogenMOD that they should
probably remove the DigiNotar CA cert from the built-in Android OS
keystore (located at /system/etc/security/cacerts.bks). Since they have
500k+ users, and can be more nimble than other ROM/device distributors,
it was seen as a way to quickly address the problem, at least within
their community. It turns out that it wasn't as easy to convince them to
do this (even though Mozilla, Google Chrome, IE, etc already had). You
can read the thread, but it is still an open issue:

In the meantime, I decided to do something proactive about this, and
took two approaches:

1) Create our own curated cacerts.bks file which rooted users could
install using 'adb' from their desktop and/or the 'Root Explorer' app
available in the market and elsewhere. Our version of the CACert file
removes DigiNotar, as well as CNNIC, a Chinese gov't-managed cert
authority who we have reason not to trust. Our goal is to continue to
audit, update and distribute our own cacerts file for users who trust us.

Install info:
Guardian's CACert:

2) We also wanted to create an app that let the user decided which certs
they wanted available, and which they didn't. Beyond this one CA
problem, there are potentially many more, and every handset manufacturer
or carrier can also place their own CA certs into the system. We need an
app to address today's and future CA threats.

I have been hacking away on a solution to address this, and an initial
test release is available for you. 'CACertMan' is a simple app that
loads up the system cacert store, allows you to back it up, search for
certs, delete them, and then save it back to the system. You can always
restore from your initial backup, as well. In the future we may allow
for a cert to just be disabled, but for now it is delete and/or restore.

Here is the first alpha build for testing. This does require root, as
well as a device that has the 'grep' command on it. This is basically
CyanogenMOD, but most likely any other custom ROM. If the 'save' doesn't
work, then you will need to use 'RootExplorer' to make you /system
parition read-write.


You can find the source project here:

Once we get confirmation that the app works for most people, we'll place
it in the market, and on or site for wider distribution.

Through these two approaches, we hope to mitigate the threats facing
Android users who might encounter man-in-the-middle attacks enabled
through the DigiNotar exploit. While many of you are presumably in
"free" countries, we do know that may of our users of Orbot, Gibberbot
and other software are not, and we hope this message can reach them.


Guardian-alpha mailing list

Post: Guardian-alpha@xxxxxxxxxxxxxxxxxx
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-alpha

To Unsubscribe
        Send email to:  Guardian-alpha-unsubscribe@xxxxxxxxxxxxxxxxxx
        Or visit: %(user_optionsurl)s

You are subscribed as: %(user_address)s
tor-talk mailing list