g-k
commented
3 years ago Ah, the column for the Mozilla truststore in CCADB changed. Fixed in https://github.com/mozilla/tls-observatory/pull/417 then had to wait for the backlog to clear.
TLS Obs now shows:
in scan https://tls-observatory.services.mozilla.com/api/v1/results?id=42297239
So I think we're all set here.
When running the TLS observatory scan for some sites such as
modular.im, we see the Symantec distrust warning even though the site loads just fine in modern browsers.Looking at the cert chain for this site we see:
Looking at the TLS observatory results, we find in the analysis section:
that it states it was marked distrusted by
symantecDistrustbecause"path uses a root not trusted by Mozilla: C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root (id=16)". This CA root does not have a connection to Symantec, but it was still logged as a failure by the Symantec-checker because the observatory thinks the CA root is not in the Mozilla trust store:https://github.com/mozilla/tls-observatory/blob/a3c1b6cfecfd7a0cf8f64c6bdc2b1e1d6a87e06c/worker/symantecDistrust/symantecDistrust.go#L251-L255
Looking at the code for observatory website, we see that the Symantec warning in the UI is shown for any failure from
symantecDistrust, even this one which has no connection to Symantec.Although the cert explainer claims the Baltimore CyberTrust Root is not in any trust store, it is present in Firefox 72 and it is included in the current version of the Mozilla root cert store (search for
D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74).I believe this means the observatory is using outdated or incorrect info when determining whether a CA root cert is in the trust store, and thus indirectly marking all such sites as connected to Symantec incorrectly.