CVE-2024-39689 - The GLOBALTRUST Root Certificate Removal from Certifi Explained

---

Overview

On July 4, 2024, an important update changed the landscape for anyone using Python’s Certifi library to validate SSL/TLS connections. The maintainers of Certifi released version 2024.07.04, which removed GLOBALTRUST's root certificates from its trusted store. This was done after serious compliance issues came to light, following an ongoing investigation. Let’s break down what this means, why you should care, and how it might affect your Python applications.

What is Certifi?

Certifi is a Python library that delivers a fresh and curated collection of Root Certificates, mainly for validating SSL certificates and authenticating TLS hosts. Think of it as the default source of CA certificates for lots of Python projects, from requests to urllib3.

Certifi draws its trust list from Mozilla’s trusted root program to ensure that connections you make over the internet are encrypted and authenticated properly. If the root store is compromised, all downstream users might be at risk.

Background: The GLOBALTRUST Story

Between version 2021.05.30 and 2024.07.03, Certifi included root certificates issued by GLOBALTRUST (InfoSign GmbH). However, following reports of “long-running and unresolved compliance issues” (see Mozilla Bug 1892719), GLOBALTRUST’s certificates are in the process of being removed from Mozilla’s trust store—and Certifi is following suit.

Why is this a big deal?

Compliance issues with a Certificate Authority (CA) often mean they failed to operate securely, or didn’t follow the strict rules required to issue and manage certificates. When such a CA is trusted, it could allow attackers to intercept or manipulate supposedly secure connections.

CVE-2024-39689 assigns a formal name to this trust issue

> Certifi 2021.05.30 up to (but not including) 2024.07.04 trusted root certificates from GLOBALTRUST, despite ongoing and unresolved compliance issues. As of Certifi 2024.07.04, these roots have been removed, closing a trust hole in the library's CA bundle.

Links

- Security Advisory on GitHub
- Release Notes for 2024.07.04
- Mozilla Bug 1892719
- Mozilla CA Incidents List

What Risks Did These Certificates Create?

If your Python app relied on Certifi during the affected versions, it would trust the GLOBALTRUST roots. That means:

- Any certificate chaining up to those GLOBALTRUST roots would be accepted as valid, even if those roots should not be trusted.
- Attacks like MITM (Man-in-the-Middle) were potentially possible if an attacker or a compromised website possessed or misused a GLOBALTRUST-issued certificate.

Here’s a simple script to check if a GLOBALTRUST root exists in your Certifi bundle

import certifi

# Read certifi's CA bundle
with open(certifi.where(), "r", encoding="utf-8") as f:
    pem_data = f.read()

# Look for GLOBALTRUST
if "GLOBALTRUST" in pem_data:
    print("GLOBALTRUST roots are still in your certifi trust store!")
else:
    print("GLOBALTRUST roots are NOT present. You're safe.")

Output Example

GLOBALTRUST roots are still in your certifi trust store!

Update your installation to at least version 2024.07.04

pip install --upgrade certifi

Re-run the Python snippet above. You should see

GLOBALTRUST roots are NOT present. You're safe.

Step 3: Rollout

If your project bundles its own CA certificates or has a custom SSL/TLS stack, ensure you update those as well.

Example: Breaking Changes in Code

After updating Certifi, connections to sites using certificates issued *only* by GLOBALTRUST roots will now fail. For example:

import requests

try:
    # Replace with a real GLOBALTRUST-issued site, if any are left
    resp = requests.get("https://some-globaltrust-only-site.example";)
    print("OK:", resp.status_code)
except requests.exceptions.SSLError as e:
    print("SSL validation failed:", e)

Result:
SSL validation failed: [SSL: CERTIFICATE_VERIFY_FAILED] ...

What About Mozilla?

The Mozilla Root Program is simultaneously removing GLOBALTRUST for all Firefox users. Certifi is just “catching up.”

Mozilla’s investigation unearthed multiple incidents, including improper certificate issuance and failures to follow best security practices. For more: Mozilla Bugzilla Incident.

References

- CVE-2024-39689 at NVD (pending)
- Certifi Advisory
- Certifi Release Notes
- Mozilla Bug 1892719
- GlobalTrust Official Site (for context)


If your systems rely on Certifi or related libraries, update today and check for broken dependencies now that GLOBALTRUST is gone for good.

Timeline

Published on: 07/05/2024 19:15:10 UTC
Last modified on: 07/08/2024 15:49:22 UTC