[Announce] Qt Project Security Advisory: unauthorized SSL certificates by Türktrust discovered

List for announcements regarding Qt releases and development announce at qt-project.org
Mon Jan 7 11:53:57 CET 2013


Qt Project Security Advisory
----------------------------

Title:        unauthorized SSL certificates by Türktrust discovered
Risk Rating:  Medium
Platforms:    All
Modules:      QtNetwork
Versions:     All
Author:       Peter Hartmann
Date:         7th January 2013

Overview
--------

There have been SSL certificates discovered on the Internet issued by
Türktrust which cannot be trusted.

Details
-------

The Turkish Certificate Authority Türktrust had issued two certificates
in 2011 for the domains (i.e. Common Name fields) "*.EGO.GOV.TR" and
"e-islem.kktcmerkezbankasi.org" that were meant to be site certificates.
However, those certificates were erroneously issued as intermediate
certificates, meaning they could be used to sign other certificates.

Impact
------

Site certificates signed by the aforementioned intermediate certificates 
have been seen on the Web, pretending to be valid for domains such as 
e.g. google.com or youtube.com.

Those intermediate certificates issued by Türktrust cannot and should 
not be trusted, hence they were added to the Qt certificate blacklist. 
This means that an SSL connection to a server using those two 
certificates in its chain will fail with Qt.

Workaround
----------

The check for the rogue certificates could be done in application code
as well, depending on the specific use case.

Solution
--------

The problem will be solved in the upcoming Qt releases 5.0.1 and 4.8.5.
Alternatively, apply the patch below:

https://codereview.qt-project.org/#change,43968

Timeline
--------
3rd January 2013 - Google warned about unauthorized certificates
4th January 2013 - Issue disclosed to the Qt security team
4th January 2013 - Patch applied to codelines
7th January 2013 - Advisory released

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.


More information about the Announce mailing list