firefox 31 + self-signed certificate = sec_error_ca_cert_invalid

If you are trying to access site with self-signed certificate with Firefox 31 (or later) and get Issuer certificate is invalid error (sec_error_ca_cert_invalid), you have to disable new mozilla::pkix certificate verification.

In about:config set

security.use_mozillapkix_verification = false

To find out more about mozilla::pkix and why your firefox just got so super secure and paranoid, that it doesn’t allows you to access you own site without googling – see https://wiki.mozilla.org/SecurityEngineering/Certificate_Verification. I’m only wondering, why did they renamed it from insanity::pkix to mozilla::pkix – do they confess that ‘mozilla’ is slowly becoming a synonym for ‘insane’ ?-) Throwing such an error without any hint or possiblity to add an exception (as usual) is IMHO insane – but, who cares about power users today…

Update: As noted in comments, this should not work in Firefox 33 (or later).

Update2: As noted by #29 and referenced bugs, there seem to be (at least) 2 major cases, where new insane::pkix will refuse to accept a https site.

  1. Your internal CA certificate doesn’t specifies CA:TRUE in X509v3 Basic Constraints section
  2. You self-signed server certificate (the last one in certificate chain) specifies CA:TRUE – what is default for certificates generated by pkitool script from easy-rsa suite – and you have your CA certificate installed in FF.

See also FF bug #1042889.

Update3: Thanks to the work of Kai Engert, there is a fix for this in Firefox 31 ESR (download from https://www.mozilla.org/en-US/firefox/organizations/) and hopefully the same comes also with Firefox 33.1.

 

windows – exporting non-exportable private key

If you are trying to export windows certificate with private key, and windows export wizard provides no such possibility (export with private key is grayed out) because private key has been install as non-exportable (what is the default when importing, what almost nobody changes), there is a great tool mimikatz that makes this possible.

Download it from http://blog.gentilkiwi.com/mimikatz.

And follow this procedure:

  1. crypto::patchcapi (or crypto::patchcng if previous did not work)
  2. crypto::listKeys (or crypto::listCertificates) to list keys/certificates
  3. crypto::exportKeys (or crypto::exportCertificates) to export what you want

That’s all. Exported keys will be protected with password ‘mimikatz‘ – you will need to enter it when importing certificate again.

 

Security fail (Google)

Just a quick post about a little (and nasty) bug I’ve found in Google Docs. I’ve already contacted Google 2 months ago (11 Februar), but they seem to have better work (counting money or smth. like that) and I didn’t received any response nor the bug has not been fixed.

Description:

Anyone with invite link to some specific document stored in Google Docs, can view this document regardless of sharing properties defined. This includes also guest visitors of the document, and that means no signing-in to Google Docs service is required to access such a link and view private document.  Well maybe this is some kind of ultra easy accessibility feature, but for me it looks like a bug ;-)

Example:

https://docs.google.com/Doc?docid=0AYYA7ZD-UOAFZHY1bXFucV8zM2RjM3NtNmNu&hl=en

This document is private, shared only with one another account and i presume you can not view it, but if you use this link

https://docs.google.com/Doc?docid=0AYYA7ZD-UOAFZHY1bXFucV8zM2RjM3NtNmNu&hl=en&invite=CI-f3KoG

you can see it’s content. Not very optimal.

How-to reproduce:

  1. create document
  2. share it with someone
  3. use the invite link to feel like a hacker and view your own private document without being signed-in,

How-to abuse:

Well not so easily, you must get the invite link somehow. But, I think it is not so hard as it seems. The invite link works even after the original user has been disallowed to view the document, so something as revoking access to a Google Document to someone that already had access to is is only a pure dream.

Have a nice day