-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
My system:
a) Mandrake Linux 2006.0 with all security updates.
b) OpenOffice 2.0.2 (Spanish language package).
c) Mozilla Suite 1.7.2 with Enigmail plugin 0.82.1.0
I have two digital certificates installed in Mozilla, one for my
wife and other for me (there are Spanish government administrative
documents that must be signed by us at same time, therefore this is
a very common arrangement for digital certificates).
The security fail step by step:
1) Finished the document, I try the command sequence Archivo |
Firmas Digitales (File | Digital Signature)
2) I select Sí (Yes) to save the document question.
3) I write a name for the document and push Guardar (Save) button
into the Save dialog window.
4) Into dialog window Firmas Digitales (Digital Signatures), I
push Agregar (Add) button.
5) I write the password for NSS Certificate DB
6) Now I can see two digital certificates. I select my wife's
certificate (I don't know her password for this certificate, but
system doesn't ask for any password at this moment).
7) Doing this, document seems signed by my wife, but she don't
know nothing about this. Notice that I didn't need her certificate
password to do this.
As result, I can use without restrictions any certificate stored
into NSS Certificate DB. I only need NSS Certificate DB password,
but none password for certificates.
I can do the same with Mozilla Suite and send fake mail messages
with a good signature from my wife. To do this, I only need to
change the e-mail address and choose my wife certificate from NSS
Certificate DB. Again, I don't need to know her password for
certificate.
As conclusion this is a very critical security flaw because if I
have physical access to other people certificates, I can build a
compatible and tailored Certificate DB, and therefore, I could use
all those certificates without restrictions to sign fake documents
or messages. In Spain the legislation it does not allow to repudiate
a signed message and this flaw can be a serious problem for users.
I will send the same message to Mozilla
(https://bugzilla.mozilla.org/show_bug.cgi?id=336963) and Enigmail
(http://mozdev.org/bugs/show_bug.cgi?id=14015).
Best Regards.
- --
Fernando Acero Martín <fernando(punto)acero(en)hispalinux(punto)es>
Mandrake 9.2 user: ACER77-577857-XB / Registered Linux User #294896
e-learning libre en https://developer.berlios.de/projects/migueloo/
Root certificate http://www.cert.fnmt.es/certificados/FNMTClase2CA.crt
GPG ID 8E2A6BA3 Fingerprint DE70 5273 550F 8BFF DBB6 F674 45CA 8E2A 6BA3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFEXbvG9nRFyo4qa6MRA3EzAKDkmcNc7K2eUyhbq2KEnPubBL8v/ACeKRNV
o3dLfPMFBXuY7YApr8dVZkA=
=186L
-----END PGP SIGNATURE-----
