[guardian-dev] CACertMan app to address DigiNotar & others

Jason guardianproject at lakedaemon.net
Mon Sep 5 09:53:50 EDT 2011


On Sun, Sep 04, 2011 at 11:06:46PM -0400, Nathan of Guardian wrote:
> As I expect many of you are aware, there was a major compromise to a
> Dutch Certificate Authority named "DigiNotar" recently, where they
> allowed SSL certs for domains like *.google.com, *.torproject.org and
> even *.cia.gov as well as *.*.com to be issued.
> 
> It was brought up to the contribs of CyanogenMOD that they should
> probably remove the DigiNotar CA cert from the built-in Android OS
> keystore (located at /system/etc/security/cacerts.bks). Since they have
> 500k+ users, and can be more nimble than other ROM/device distributors,
> it was seen as a way to quickly address the problem, at least within
> their community. It turns out that it wasn't as easy to convince them to
> do this (even though Mozilla, Google Chrome, IE, etc already had). You
> can read the thread, but it is still an open issue:
> http://code.google.com/p/cyanogenmod/issues/detail?id=4260

As a side note, I hate the whole messy idea of deleting posts [1], I
much prefer a ranking methodology (let the reader decide to ignore, or
not).

> In the meantime, I decided to do something proactive about this, and
> took two approaches:
> 
> 1) Create our own curated cacerts.bks file which rooted users could
> install using 'adb' from their desktop and/or the 'Root Explorer' app
> available in the market and elsewhere. Our version of the CACert file
> removes DigiNotar, as well as CNNIC, a Chinese gov't-managed cert
> authority who we have reason not to trust. Our goal is to continue to
> audit, update and distribute our own cacerts file for users who trust us.
> 
> Install info:
> https://raw.github.com/guardianproject/cacert/master/INSTALLATION
> Guardian's CACert:
> https://github.com/downloads/guardianproject/cacert/cacerts.bks
> 
> 2) We also wanted to create an app that let the user decided which certs
> they wanted available, and which they didn't. Beyond this one CA
> problem, there are potentially many more, and every handset manufacturer
> or carrier can also place their own CA certs into the system. We need an
> app to address today's and future CA threats.

I've been looking at different approaches to this problem and the only
one that I like so far is convergence [2].  The client and server are
open source.
 
> I have been hacking away on a solution to address this, and an initial
> test release is available for you. 'CACertMan' is a simple app that
> loads up the system cacert store, allows you to back it up, search for
> certs, delete them, and then save it back to the system. You can always
> restore from your initial backup, as well. In the future we may allow
> for a cert to just be disabled, but for now it is delete and/or restore.

Nice! definite improvement.  

thx,

Jason.

[1] http://groups.google.com/group/openkinect/msg/68fc40e3813477eb
[2] http://www.convergence.io


More information about the Guardian-dev mailing list