View Issue Details

IDProjectCategoryView StatusLast Update
0002999Kali Linux[All Projects] Kali Package Bugpublic2016-01-22 08:09
ReporterElColmo Assigned Torhertzog  
PriorityhighSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.0 
Target VersionFixed in Version2016.1 
Summary0002999: Kali 2.0 uses a version of libnss3 that is prone to using weaker/older SSL certificates in certain circumstances
DescriptionKali 2.0 uses a version of libnss3 that is prone to using weaker/older certs, when navigating up the CA chain.

One fairly obvious impact is that Google Chromium incorrectly displays the HTTPS symbol in red, rather than in green, since it uses the less secure SHA-1 based path, rather than the more secure SHA-2 based path, where multiple paths exist. This appears to be an issue where "cross-signed" roots are used, for instance. See https://sslmate.com/blog/post/chrome_cached_sha1_chains for more details.

The bug in question is present in nss_3.17.2-1.1+deb8u1, but is resolved in nss_3.17.2-1.1+deb8u2.

Please see:
http://metadata.ftp-master.debian.org/changelogs/main/n/nss/nss_3.17.2-1.1+deb8u2_changelog
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1423031
Steps To Reproduce#0: Verify "nss_3.17.2-1.1+deb8u1" is installed
0000001: Install "chromium" package (I'm using "47.0.2526.80-1~deb8u1")
#2: Run Chromium
#3: Browse to a website which used a SHA-1 certificate in the CA chain, but which now uses a SHA-2 right up the chain (but where the original public key was re-signed with SHA-2, or where "cross-signing" is used).
0000004: Note if the "HTTPS" logo appears in red.
0000005: Using the same version of Chromium on Windows 7, note that the "HTTPS" logo appears in green, and there is no indication of SHA-1 in use.

Activities

rhertzog

2016-01-22 08:09

administrator   ~0004534

Kali 2016.1 has a newer libnss, please upgrade.

Issue History

Date Modified Username Field Change
2016-01-18 17:03 ElColmo New Issue
2016-01-22 08:09 rhertzog Note Added: 0004534
2016-01-22 08:09 rhertzog Status new => resolved
2016-01-22 08:09 rhertzog Fixed in Version => 2016.1
2016-01-22 08:09 rhertzog Resolution open => fixed
2016-01-22 08:09 rhertzog Assigned To => rhertzog