FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

nss/ca_root_nss -- fraudulent certificates issued by

Affected packages
nss < 3.12.11
ca_root_nss < 3.12.11
3.6.*,1 < firefox < 3.6.22,1
4.0.*,1 < firefox < 6.0.2,1
seamonkey < 2.3.2
linux-firefox < 3.6.22,1
3.1.* < thunderbird < 3.1.14
5.0.* < thunderbird < 6.0.2
linux-thunderbird < 3.1.14
linux-seamonkey < 2.3.2


VuXML ID aa5bc971-d635-11e0-b3cf-080027ef73ec
Discovery 2011-07-19
Entry 2011-09-03
Modified 2011-09-06

Heather Adkins, Google's Information Security Manager, reported that Google received

[...] reports of attempted SSL man-in-the-middle (MITM) attacks against Google users, whereby someone tried to get between them and encrypted Google services. The people affected were primarily located in Iran. The attacker used a fraudulent SSL certificate issued by DigiNotar, a root certificate authority that should not issue certificates for Google (and has since revoked it). [...]

VASCO Data Security International Inc., owner of DigiNotar, issued a press statement confirming this incident:

On July 19th 2011, DigiNotar detected an intrusion into its Certificate Authority (CA) infrastructure, which resulted in the fraudulent issuance of public key certificate requests for a number of domains, including [...] an external security audit concluded that all fraudulently issued certificates were revoked. Recently, it was discovered that at least one fraudulent certificate had not been revoked at the time. [...]

Mozilla, maintainer of the NSS package, from which FreeBSD derived ca_root_nss, stated that they:

revoked our trust in the DigiNotar certificate authority from all Mozilla software. This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort.

Three central issues informed our decision:

  1. Failure to notify. [...]
  2. The scope of the breach remains unknown. [...]
  3. The attack is not theoretical.