Y
Y
Yaroslav2020-09-22 17:42:00
Digital certificates
Yaroslav, 2020-09-22 17:42:00

Why does the FSB site (fsb.ru) not use https and how to check revoked certificates by name?

Now it's easy to see that sites like fsb.ru or kremlin.ru are only accessible via http.

The news explains this very briefly, and claims that 35 certificates have been revoked:
This is an unprecedented step, American IT businessman Michael Talan told GORDON
https://gordonua.com/news/politics/it-biznesmen-iz...

Other sources mention this, but in fact they simply reprint this news, refer to it. But after all, we are techies and we are discussing a technical event, besides, as you know, scientists often rape journalists (it would be permissible for them to confuse “withdrawn” and “not extended”, and confuse 35 with 53 or 350). Is it possible that such a significant technical event left only a barely noticeable "humanitarian trace" - an oral statement by an IT businessman to a Ukrainian publication in an article with a click-bait headline?

Is there any way to technically verify that the fsb.ru certificate has been revoked (or maybe they just decided not to use it themselves)? Is there a source for this somewhere? Any threads/tickets on github, verisign or mozilla twitter statements, maybe all revoked certificates are posted somewhere? At worst - if they are revoked in accordance with some American law - that is, is this law / decree listing these 35 certificates in the public domain?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
C
CityCat4, 2020-09-22
@xenon

Well, Yaroslavishche, American laws are far from always found in the public domain - you know highley likes ... But CRL - you can check, we don’t have so many large CAs - thawte, comodo, globalsign ... It is unlikely that there was certificate from LE :)
UPD: Nothing will work. The CRL contains only a serial number and a revocation code :) Of course, people who have a certificate can check it - but others most likely can't :)
UPD2 (large):
Well, I was interested in the question, and here are my thoughts.
The article is, of course, bullshit. The site fsb.ru, like kremlin.ru, never had certificates, you can check this with the all-knowing Google - verification service. The service does not find anything - that is, there was nothing. That is, I assume that all these "35 revoked certificates" actually never existed, and the sites mentioned never had certificates.
That is, it turns out that an American is piZDit ... as a real American should be now :) But nevertheless, oddly enough, he is right!
Because the problem is real. Take, for example, Yandex.
The certificate was issued by the Yandex internal CA:

CN = Yandex CA
OU = Yandex Certification Authority
O = Yandex LLC
C = RU

... which is not the root CA, but its certificate is issued:
CN = Certum Trusted Network CA
OU = Certum Certification Authority
O = Unizeto Technologies S.A.
C = PL

... which - suddenly - is (here music, ink, ink and glue) - in Poland!
Issuer:
    CN=Certum CA,O=U­nizeto Sp. z o.o­.,C=PL
    CN=Certum Truste­d Network CA,OU=­Certum Certifica­tion Authority,O­=Unizeto Technol­ogies S.A.,C=PL
Serial:
    1961572933532405­2664386507102252­1293608
    279744
    4772842536756395­3368335862826026­879003
    9458922105397704­9342468936609165­78283
Not valid before:
    2008-10-22 12:07­:37 UTC
Not valid after:
    2027-06-10 10:46­:39 UTC
    2029-12-31 12:07­:37 UTC
    2025-12-30 23:59­:59 UTC
Key size:
    2048
Signature Algorithm:
    sha256WithRSAEnc­ryption
    sha1WithRSAEncry­ption

basicConstraints:
    CA:TRUE
subjectKeyIdentifier:
    08:76:CD:CB:07:F­F:24:F6:C5:CD:ED­:BB:90:BC:E2:84:­37:46:75:F7
authorityKeyIdentifier:
    DirName:/C=PL/O=­Unizeto Sp. z o.­o./CN=Certum CA­serial:01:00:20
keyUsage:
    Certificate Sign­, CRL Sign
crlDistributionPoints:
    Full Name:­ URI:http://crl­.certum.pl/ca.cr­l
authorityInfoAccess:
    OCSP - URI:http:­//subca.ocsp-cer­tum.com­CA Issuers - URI­:http://reposito­ry.certum.pl/ca.­cer
certificatePolicies:
    Policy: X509v3 A­ny Policy­ CPS: http://ww­w.certum.pl/CPS
    Policy: X509v3 A­ny Policy­ CPS: https://w­ww.certum.pl/CPS

(proof - here )
That is, with one movement of the mouse, Certum revokes the certificate of the Yandex subcenter - and all the certificates issued by it turn ... into a pumpkin!
There is something to go crazy with ...
Well, another moment. Having a site certificate - you can simply check the fact of its revocation. Here is an article on Habré, it is short, but there are useful commands there.

V
Vitaly Karasik, 2020-09-23
@vitaly_il1

"However, the official portals of the President of Russia kremlin.ru , the State Duma www.duma.gov.ru , the Federal Security Service of Russia www.fsb.ru , and the Security Council of the Russian Federation www.scrf.gov.ru have not yet been puzzled by the security of the transmitted information ."
https:/ /roskomsvoboda.org/31159/ - 08/15/2017

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question