Why doesn’t Mozilla (Firefox) like the Microsoft OCA web site?



In my previous post about OCA, the comments thread has a long discussion started by Shannon J Hager about Mozilla’s behavior when you attempt to access https://winqual.microsoft.com.  If you attempt to access this web site using Firefox (or other Mozilla variants), you get the following dialog box:



Which is weird, because of course the web site works just fine in IE.  No big deal, right – Microsoft’s well known for sleazing the rules for it’s own products, so obviously this is Microsoft’s fault – they probably did something like hard coding in trust to the Microsoft issuing CA.  But I was kinda surprised at this, so I spent a bit of time checking it out…


The way that SSL certificate verification is supposed to work is that if the issuer of a certificate isn’t trusted, then the code validating the certificate is supposed to check the parent of the issuer to see if IT is trusted.  If the parent of the issuer isn’t trusted, it’s supposed to check the grandparent of the issuer, and so forth until you find the root certificate authority (CA).


The issuing CA of the certificate on the winqual web site is the “Microsoft Secure Server Authority”, it’s not surprising Mozilla doesn’t trust that one.  The parent of the issuing CA is the “Microsoft Internet Authority”, again, no surprise that Mozilla doesn’t trust it.


But the grandparent of the issuing CA is the “GTE CyberTrust Root”.  This is a well known CA, and Mozilla should be trusting it.  And what do you know, Mozilla DOES claim to trust that root CA:



Well, Cesar Eduardo Barros actually went and checked using openssl to see why the CA isn’t trusted.  He tried:


$ openssl s_client -connect winqual.microsoft.com:443 -showcerts

depth=0 /C=US/ST=Washington/L=Redmond/O=WHDC (Old WHQL)/OU=Microsoft/CN=winqual.microsoft.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /C=US/ST=Washington/L=Redmond/O=WHDC (Old WHQL)/OU=Microsoft/CN=winqual.microsoft.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /C=US/ST=Washington/L=Redmond/O=WHDC (Old WHQL)/OU=Microsoft/CN=winqual.microsoft.com
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)

Certificate chain
0 s:/C=US/ST=Washington/L=Redmond/O=WHDC (Old WHQL)/OU=Microsoft/CN=winqual.microsoft.com
i:/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority
—–BEGIN CERTIFICATE—–
[…]
—–END CERTIFICATE—–

Server certificate
subject=/C=US/ST=Washington/L=Redmond/O=WHDC (Old WHQL)/OU=Microsoft/CN=winqual.microsoft.com
issuer=/DC=com/DC=microsoft/DC=corp/DC=redmond/CN=Microsoft Secure Server Authority

No client certificate CA names sent

SSL handshake has read 1444 bytes and written 324 bytes

New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: […]
Session-ID-ctx:
Master-Key: […]
Key-Arg : None
Start Time: […]
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)

DONE


Decoding the certificate it gave me above (openssl x509 -text) I get the same information Mozilla gives me and a bit more, but no copy of the issuer. The only suspicious thing in there is:

Authority Information Access:
CA Issuers – URI:http://www.microsoft.com/pki/mscorp/msssa1(1).crt
CA Issuers – URI:http://corppki/aia/msssa1(1).crt

Getting that URI gives me a blank HTML page with a 0.1 second redirect to itself. (The CRL one seems valid, however.)


So I was confused, why wasn’t openSSL able to verify the certificate?  So I started asking the security PM’s here at Microsoft what was up.  One of the things he told me was that Microsoft doesn’t hard code ANY intermediate certificates in our browser.  Instead, our browser relies on the referral information in the certificate to chase down the CA hierarchy.


So why can’t Mozilla do the same thing?  Is there something wrong with our certificates that’s preventing this from working?  I kept on pestering and the PM’s kept on digging.  Eventually I got email from someone indicating “IE is chasing 48.2 AIA”.


Well, this isn’t very helpful to me, so I asked the security PM in question to explain it in English.  Apparently the root cause of the problem is that IE is following the Authority Information Access 48.2 OID (1.3.6.1.5.5.7.48.2) to find the parent of the certificate, while Mozilla isn’t.


Inside the Microsoft certificate is the following:



And if you go to http://www.microsoft.com/pki/mscorp/msssa1(1).crt you’ll find the parent CA for the certificate on the winqual web site.  So now it’s off to figure out if the IE behavior is according to standard, or if it’s another case of Microsoft ignoring web standards in favor of proprietary extensions.


A few minutes of googling discovers that the AIA 48.2 field is also known as the id-ad-caIssuers OID.  The authoritative reference for this OID is RFC2459 (the RFC that defines the x.509 certificate infrastructure).  It describes this field as:

 The id-ad-caIssuers OID is used when the additional information lists CAs that have issued certificates superior to the CA that
issued the certificate containing this extension. The referenced CA Issuers description is intended to aid certificate users in
the selection of a certification path that terminates at a point trusted by the certificate user.

In other words, IE is correctly chasing the AIA 48.2 references in the certificate to find the root issuing CA of the certificate. Since it didn’t have direct knowledge of the issuing CA, it correctly looked at the AIA 48.2 field of the certificate for the winqual web site and chased the AIA 48.2 references to the root CA.  It appears that Mozilla (and OpenSSL and GnuSSL) apparently don’t follow this link, which is why they pop up the untrusted certificate dialog.


Issue solved.  Now all someone has to do is to file bugs against Mozilla and OpenSSL to get them to fix their certificate validation logicJ.


Btw, I want to give HUGE kudo’s to Cesar Eduardo Barros for tirelessly trying to figure this out, and to Michael Howard and the lead program manager for NT security for helping me figure this out.  If you look at the info from the certificate that Cesar posted above, he correctly caught the AIA 48.2 fields inside the CA, it was a huge step in the right direction, all that remained was to figure out what it really meant.


Edit: Fixed picture links.


Edit2: Fixed line wrapping of reference from RFC2459.

Comments (25)

  1. B.Y. says:

    That was some detective work, and a very educational blog entry.

  2. Jarrod Gray says:

    Did you file a bug (http://bugzilla.mozilla.org) against FireFox for this?

  3. Jarrod: Nope, feel free :) Feel free to use my post as a reference in the bug, but as a Microsoft employee I’m not allowed to contribute to open source projects.

  4. Cesar Eduardo Barros says:

    Reported as http://bugzilla.mozilla.org/show_bug.cgi?id=245609

    Let’s see what they will say about it.

    Now I have to find the bug reporting addresses for OpenSSL and PSM, check Konqueror (probably uses OpenSSL, but not sure), etc…

    By the way, why wasn’t this noticed before? It must be a pretty uncommon thing to have an intermediate CA which is not already trusted by the browser, and not send the whole chain on SSL connections.

  5. anon says:

    Is there a possibility of infinite loop/hack attack if a the parent CA is the same as the child CA in a spoofed certificate?

  6. I’d hope that the validation logic would check for circular CA’s, if not it’s a bug in the CA validation logic. Now this gets tricky given the number of ways you can form a URL, but…

  7. Cesar Eduardo Barros says:

    I think I can see why the Mozilla developers didn’t implement it that way. That part of the RFC seems ambiguous to me, and it isn’t very clear that what lies at the end of the URI is a certificate. It could be interpreted as a place to put the URI of a webpage explaining where to get the certificate, for instance ("description"?).

    A X.509 language lawyer would be really useful right now.

  8. Cesar, OpenSSL currently do not support any external (http or ldap) certificate storage (STORE mb would be introduced in 0.9.8), so it cannot access AIA for automatic download of certificate

  9. Inquisitive says:

    Wow, MS employees aren’t allowed to contribute to open-source projects?

    Just out of curiosity, do you have any more details about this? Can’t find much with Google…

  10. Microsoft (and IBM and undoubtedly other software houses that make their money by proprietary software) prevents it’s developers from contributing (or even looking at the code for) to open source software projects.

    IANAL, but AFAIK, the problem is that some code or techniques from the open source code might be incorporated into our proprietary code. If that code is GPL’ed, that might force us to open source the entire component that contains the infringing code.

    Since the GPL has never been litigated, there is no case law that exists that would render guidance as to the liabilities involved, so Microsoft’s (and IBM’s) legal department prohibit Microsoft employees from participating in open source projects.

    It’s not just Microsoft. Any IBM employees that contribute to open source projects are prohibited from participating in their proprietary codebases and vice versa. The same is true for their people who work with Oracle – they’re prohibited from working on DB2.

  11. Cesar Eduardo Barros says:

    It’s not true that the GPL has never been litigated.

    (These links should be safe for MS employees, as long as you don’t go any deeper in these sites ;-)

    http://www.netfilter.org/news/2004-04-15-sitecom-gpl.html (press release)

    http://lwn.net/Articles/80734/ (lwn article)

    http://gnumonks.org/~laforge/weblog/linux/gpl-violations/ (weblog)

  12. KC Lemson says:

    This issue reminds me of one I dealt with about 6 years ago. Someone was complaining about Outlook’s lack of support for internet standards and as evidence, pointed to a case whereby if you replied to a certain message from pine to Outlook, Outlook wouldn’t show the reply, only the original. I dug into it and found out that the problem was on pine’s side, it was sending multipart/alternative with text/plain and text/html, but it was only modifying the text/plain and the text/html still had the original message in it – so the two body parts were different and thus it wasn’t really multipart/alternative. It turned out it was a known bug with that version of pine that had already been fixed too.

  13. Christopher Miller says:

    You can add Opera 7.5 to the list, it can’t access the certificate eithor.

  14. Cesar Eduardo Barros says:

    The one that annoys me the most in Outlook is that if I send a GnuPG signed message from mutt to Outlook (multipart/signed IIRC) the message is shown as a blank message with an oddly named attachment (which contains the full text of the message). Because of that, I have to avoid sending signed messages unless I’m sending it to a friend (since my friends either already know about that particular problem and will look in the fake attachment, or use a different MUA which doesn’t have this issue).

    I never investigated if it was a bug in mutt or Outlook (but I believe it’s probably lack of a feature in Outlook, since multipart/signed is not one of the original multipart types. So maybe a newer version of Outlook would work as expected)

  15. - says:

    <quote>Microsoft (and IBM and undoubtedly other software houses that make their money by proprietary software) prevents it’s developers from contributing (or even looking at the code for) to open source software projects.</quote>

    ibm are very active in the open source community, with loads of code being fed into the linux kernel and mozilla.

  16. Andrew Shuttlewood says:

    Ignoring the should you/shouldn’t you help any open-source project by filing bugs against them – is the problem almost more that Microsoft competes with it’s partners?

    For example, Firefox runs on top of Windows (so does Cygwin, and Oracle etc). So they’re your partners in this sense – they run on your platform and use your platform services.

    However, you also compete quite busily in their application spaces.

    If you concentrated solely on Windows and Office, or were split into two companies as per what some people say, of course, this wouldn’t be a problem. If you were on the Windows side, Firefox wouldn’t be your competitor, it would be your partner (not withstanding the IE in the OS controversy).

    Bit of a growing pain I guess…

  17. Cesar, those cases aren’t in the U.S. And our source code is protected by US copyrights. I don’t know of any cases where code from a GPL product has been INADVERTENTLY included into a closed source project where the courts ruled on it. There is lots of case law w.r.t. traditional copyright infringement that clearly shows what the remedies are. With the GPL, it’s a whole ‘nother ball of wax.

    - The developers at IBM working on open source aren’t permitted to work on their proprietary software. And vice versa – the proprietary software developers aren’t permitted to work on open source.

    The risks are just too great.

  18. Scott says:

    "ibm are very active in the open source community, with loads of code being fed into the linux kernel and mozilla. "

    Yes, but the employees that work on the Open Source projects aren’t allowed to work on proprietary projects and vice versa. They are segregated.

    Now, project Larry’s (and IBM/Microsoft employees) delemma onto other real life situations.

    "Hey, your right front tire looks ….oh wait, is that a charity bus? I’m sorry sir, but as an employee of the Goodyear tire store overthere I’m not allowed to diagnose Firestone tire problems. You should get a Firestone mechanic to check out that tire."

    or

    You have just gotten in an automoble wreck, you’re bleeding. A man comes to your window "I’d love to help, but I’m an employee of an HMO and I can’t participate in non-approved treatment projects. I can tell the paramedics when they get here that they should help you but that’s about it."

    Surreal, isn’t it? Welcome to Lawyer-world, population=us.

    "as a Microsoft employee I’m not allowed to contribute to open source projects. "

    How does Dare work on RSS Bandit? He’s a Microsoft employee right? Do you mean just GPL/LGPL projects?

    :)

  19. Cesar Eduardo Barros says:

    Larry, doesn’t the GPL revert to traditional copyright when it’s violated? So, all the currently existing copyright case law would be applicable.

    (I don’t think I have to say IANAL since I’m not in the US, but I’m saying it anyways: I’m not a lawyer, I’m a CS student)

    From what I understand, the GPL only gives you extra rights; if you don’t follow its rules, the extra rights cease to apply, and then you have a normal copyright infringiment case on your hands. I don’t think any new case law is needed.

    While some people might allow you to get out of it by licensing your code under the GPL, it’s not the only option (it’s just the traditional one for GPL cases, and of course both sides have to agree for it to happen). You might prefer to pay some damages and cease using the copied code, for instance (or any other "traditional" copyright violation punishment).

    Of course, I might be wrong. And I still think a Preview button would be really useful here.

  20. Cesar, I’ll be writing this up tomorrow, it’s worth a topic in it’s own right. I’m not a lawyer, so it’ll have lots of disclaimers but…

    Sorry about not posting for the past couple of days btw, I’ve been visiting family back east :)