Qt Project Security Advisory ---------------------------- Title: unauthorized SSL certificates by Türktrust discovered Risk Rating: Medium Platforms: All Modules: QtNetwork Versions: All Author: Peter Hartmann Date: 7th January 2013
Overview -------- There have been SSL certificates discovered on the Internet issued by Türktrust which cannot be trusted. Details ------- The Turkish Certificate Authority Türktrust had issued two certificates in 2011 for the domains (i.e. Common Name fields) "*.EGO.GOV.TR" and "e-islem.kktcmerkezbankasi.org" that were meant to be site certificates. However, those certificates were erroneously issued as intermediate certificates, meaning they could be used to sign other certificates. Impact ------ Site certificates signed by the aforementioned intermediate certificates have been seen on the Web, pretending to be valid for domains such as e.g. google.com or youtube.com. Those intermediate certificates issued by Türktrust cannot and should not be trusted, hence they were added to the Qt certificate blacklist. This means that an SSL connection to a server using those two certificates in its chain will fail with Qt. Workaround ---------- The check for the rogue certificates could be done in application code as well, depending on the specific use case. Solution -------- The problem will be solved in the upcoming Qt releases 5.0.1 and 4.8.5. Alternatively, apply the patch below: https://codereview.qt-project.org/#change,43968 Timeline -------- 3rd January 2013 - Google warned about unauthorized certificates 4th January 2013 - Issue disclosed to the Qt security team 4th January 2013 - Patch applied to codelines 7th January 2013 - Advisory released --------------------------------------------------------------------- This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful. _______________________________________________ Announce mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/announce _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
