This QR code proves Adolf Hitler has received 2 doses of Pfizer vaccine. At the moment you can still use the Estonian app to verify this (https://kontroll.digilugu.ee). Probably this specific cert will be revoked soon in all the apps.
But the cat is out of the bag. Everyone's grandparents will need to do the certificate retrieval dance again, which is another confusion that we did not need at this critical junction.
Someone out there has a serious problem with ethics. Or someone really screwed up to the point where it was obvious that a responsible disclosure was already a moot point. In my experience, CERT-EU is normally very competent and would have handled it professionally.
The alternate seems to be actually more popular (22 pts vs 6 pts), but I suppose that the HN algorithm seems to rate it down due to pointing to GitHub?
I checked the Hitler code with apps from Latvia, Switzerland, Luxembourg, Iceland and France.
The apps for Latvia, Luxembourg and Switzerland say OK, the one for France says "OK but fraudulent", the one for Iceland says no. From the article it looks like the Italian app also says no.
Not revoked everywhere it seems. Also, the French app seems to check against a blacklist, so it is possible that only the Hitler code is considered invalid and not the signing key.
Nobody on this forum provided any kind of verification that they own the private key. It is way more likely that a rogue doctor sells certificates to unvaccinated people (which we know happens) than that the private key leaked, so let's not jump into conclusions here.
I think that's absolutely the most likely. And it's not hundreds, it's probably more like tens of thousands (or more). For example, when I got mine issued in Germany, I just went to a pharmacy, gave them my ID and (paper) vaccination record, and the pharmacist came back in a couple of minutes with my QR code.
The interesting thing to watch, over the coming days, is this: will the public policy response do the technically correct thing, and make sure that you need all your original documentation (signed records from the doctor's office, etc.) to get your new covpass issued? Or will they do something incorrect (but easy), like let people come in with their now-invalid pass plus a government ID to get a new one issued?
These QR codes are the most obvious things to make, but they're also least useful as proof you've got the keys.
Certainly if you have a private key and you want to prove that you know the key, you can trivially make documents that only somebody with the key could make, that aren't documents any system would give people who don't have the key and yet also aren't useful fictitious documents if you're acting as a whistleblower.
That's what was done when a certificate reseller emailed the private keys of their customers to the CA they were reselling - for some reason that's unclear. The CA minted CSRs that showed they now knew the private key, without revealing what it is, and so we could all see that yup, somebody sent this CA the private keys, game over for those certificates.
[ PSA: They're called private keys, not secret keys or shared keys for a reason. Where possible you should choose your own private keys randomly and never reveal them to anybody ]
Nobody verified my code so far, they just eyeball the app. So the practical impact of such a leak is probably small, since people will fall for dumb forgeries already.
I had it verified constantly, both in airports and (on a trip to Italy) on pretty much every restaurant or bar I went to. I think it was only once that they were fine with showing it, all the others had scanners.
My experience was very mixed with my (limited) travel I did this year. In Austria they just eyeball your certificate. In Italy everyone used an app to verify the qr code (although I've still only gotten my ID checked once).
Exactly my experience. Not a fan of a vaccine pass, but I did show it at a restaurant they didn't even know what to do with it. Looked at it a bit confused, said 'yes, yes' and that was it. No check whatsoever. I don't mind that at all to be honest.
The only place that really checks with the app in my world is a sweaty dance club in Prague. This is actually very appropriate. They even match with my ID.
It seems like the Keys of one of the issuers got leaked, not the root keys so it looks like the fallout might be confined the the people who got their cert from that issuer (seems to be a french one). Or am I missing something?
What I read was they were seeing fake certificates - but these could be created by compromising the vax registration application and certificate download process.
It could be done by compromising a vaccine clinic tablet and issuing new records into the main WHO CoVAX record database under arbitrary names, and then collecting the fake passport image from the web interface citizens use.
I don't think you need to compromise the root certificate or signing keys to do this, there are easier ways. (But if I could put in a request for a Josef K., and an A. Solzhenitsyn novelty certificate, it would be a nice to have on my phone.)
If you are wondering about Vaccine QR codes, see this article that explains how the "shc" (SMART Health Card) protocol is used to generate and decode the QR.
Apparently the leaked keys have already been blacklisted. So all certificates signed with the leaked keys will need to be reissued. FWIW, it wasn't the Italian key that was leaked.
(Italian here) AFAIK Italy implemented the logic to be valid for 9 months, which wasn't ideal and it shows its limit in situations like this since we don't have a short expiry date.
Dunno if in the end they also put in place some kind of blacklisting for leaked certificates
Given it is the same "poorly implemented digital identity platform" that has been in use for the last 40 years, and secures basically every form of non in person communication you conduct, I am expecting that to continue for a bit longer.
The system's designers did, which is why key revocation is built into the system. The practical effects of this leak will be the people who refused the app and don't read the news will be surprised when their paper certificates are rejected.
78 governments have ICAO private keys, and most have done so for >10 years now. If what "we all know" is true, then you should be able to find a leaked key easily. Try googling.
Or you might fall back to claiming that while governments evidently can hold on to ICAO private keys, they can't hold on to this other kind of private key, because...
Just wonder, how any of you vaccine masterminds would explain how vax scanners for PEOPLE are comming and how will they detect if you really had the shot? How would that be possible without some magnetic stuff in you blood?
Now you know why is so "important" to let go on the green pass, cause you ganna be a walking magnet for simple metal detectors, presented as state of the art new science.
Turns out there's no certificate or keys leaked, but there was an exposed unsecured web service to generate GP from Poland. It has since been fixed, but apparently there's a couple more still around (Vietnam and such it seems).
For all practical everyday use, this doesn't matter. Nobody has ever even checked my ID card has the same name as in the app, let alone scanned the QR code to verify. They just glance and that gives them though plausible deniability to let me in.
Based on the information I've received, the private keys for all European countries have been leaked. There appears to be a centralised EU system where they all are stored.
[+] [-] clon|4 years ago|reply
This QR code proves Adolf Hitler has received 2 doses of Pfizer vaccine. At the moment you can still use the Estonian app to verify this (https://kontroll.digilugu.ee). Probably this specific cert will be revoked soon in all the apps.
But the cat is out of the bag. Everyone's grandparents will need to do the certificate retrieval dance again, which is another confusion that we did not need at this critical junction.
Someone out there has a serious problem with ethics. Or someone really screwed up to the point where it was obvious that a responsible disclosure was already a moot point. In my experience, CERT-EU is normally very competent and would have handled it professionally.
[+] [-] tomp|4 years ago|reply
[+] [-] untitaker_|4 years ago|reply
it's very questionable whether this is true. revocation can be done many different ways, reissuing can be made more convenient too
[+] [-] rmetzler|4 years ago|reply
[+] [-] mfru|4 years ago|reply
https://greencheck.gv.at/
[+] [-] piaste|4 years ago|reply
[+] [-] archi42|4 years ago|reply
Discussion: https://news.ycombinator.com/item?id=29011537 (1 comment)
The alternate seems to be actually more popular (22 pts vs 6 pts), but I suppose that the HN algorithm seems to rate it down due to pointing to GitHub?
[+] [-] capableweb|4 years ago|reply
Actual source seems to be here: https://rfmirror.com/Thread-TRADING-make-EU-green-pass?page=...
[+] [-] GuB-42|4 years ago|reply
The apps for Latvia, Luxembourg and Switzerland say OK, the one for France says "OK but fraudulent", the one for Iceland says no. From the article it looks like the Italian app also says no.
Not revoked everywhere it seems. Also, the French app seems to check against a blacklist, so it is possible that only the Hitler code is considered invalid and not the signing key.
[+] [-] lmilcin|4 years ago|reply
[+] [-] thesimon|4 years ago|reply
[+] [-] zyuiop|4 years ago|reply
[+] [-] andrewaylett|4 years ago|reply
[+] [-] kuroguro|4 years ago|reply
I find it more likely there's an option to enter custom data for non-citizens and someone was just messing around.
[+] [-] tkfu|4 years ago|reply
The interesting thing to watch, over the coming days, is this: will the public policy response do the technically correct thing, and make sure that you need all your original documentation (signed records from the doctor's office, etc.) to get your new covpass issued? Or will they do something incorrect (but easy), like let people come in with their now-invalid pass plus a government ID to get a new one issued?
[+] [-] tialaramex|4 years ago|reply
Certainly if you have a private key and you want to prove that you know the key, you can trivially make documents that only somebody with the key could make, that aren't documents any system would give people who don't have the key and yet also aren't useful fictitious documents if you're acting as a whistleblower.
That's what was done when a certificate reseller emailed the private keys of their customers to the CA they were reselling - for some reason that's unclear. The CA minted CSRs that showed they now knew the private key, without revealing what it is, and so we could all see that yup, somebody sent this CA the private keys, game over for those certificates.
[ PSA: They're called private keys, not secret keys or shared keys for a reason. Where possible you should choose your own private keys randomly and never reveal them to anybody ]
[+] [-] gpderetta|4 years ago|reply
[+] [-] CodesInChaos|4 years ago|reply
[+] [-] wasmitnetzen|4 years ago|reply
* Germany: usually quick glance at the QR code
* France: usually properly scanned
* Sweden: not even planned to be used
* Italy: usually properly scanned
[+] [-] kace91|4 years ago|reply
[+] [-] ginko|4 years ago|reply
[+] [-] neals|4 years ago|reply
[+] [-] raxxorrax|4 years ago|reply
Airports check it, but other than that...
[+] [-] stavros|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] jagger27|4 years ago|reply
[+] [-] consumer451|4 years ago|reply
[+] [-] traspler|4 years ago|reply
[+] [-] motohagiography|4 years ago|reply
It could be done by compromising a vaccine clinic tablet and issuing new records into the main WHO CoVAX record database under arbitrary names, and then collecting the fake passport image from the web interface citizens use.
I don't think you need to compromise the root certificate or signing keys to do this, there are easier ways. (But if I could put in a request for a Josef K., and an A. Solzhenitsyn novelty certificate, it would be a nice to have on my phone.)
[+] [-] herodotus|4 years ago|reply
https://marcan2020.medium.com/reversing-smart-health-cards-e...
[+] [-] Hokusai|4 years ago|reply
[+] [-] gpderetta|4 years ago|reply
[+] [-] andrea_sdl|4 years ago|reply
Dunno if in the end they also put in place some kind of blacklisting for leaked certificates
[+] [-] mensetmanusman|4 years ago|reply
[+] [-] blitzar|4 years ago|reply
[+] [-] throwawayfear|4 years ago|reply
[deleted]
[+] [-] mwint|4 years ago|reply
I fear this will be used as an excuse to make the passport system even more centralized.
[+] [-] JumpCrisscross|4 years ago|reply
The system's designers did, which is why key revocation is built into the system. The practical effects of this leak will be the people who refused the app and don't read the news will be surprised when their paper certificates are rejected.
[+] [-] Arnt|4 years ago|reply
Or you might fall back to claiming that while governments evidently can hold on to ICAO private keys, they can't hold on to this other kind of private key, because...
[+] [-] gpderetta|4 years ago|reply
[+] [-] Bancakes|4 years ago|reply
[+] [-] mithron|4 years ago|reply
[+] [-] menimaxi|4 years ago|reply
[+] [-] mdrzn|4 years ago|reply
[+] [-] framecowbird|4 years ago|reply
[+] [-] benkkey|4 years ago|reply
[+] [-] intunderflow|4 years ago|reply
[+] [-] sgjohnson|4 years ago|reply
[+] [-] unknown|4 years ago|reply
[deleted]
[+] [-] kri8|4 years ago|reply
[deleted]