Certificate problem reporting undermined by Microsoft spam filters

[Hanno Böck]

Hi,

I have recently reported a number of certificates with compromised
private keys to CAs due to the recent Fortigate incident. In at least
two instances, it appears those reports were not being reacted upon due
to spam filters either rejecting those reports, or putting those mails
into quarantine. (The latter being worse, as it does not even generate
an error visible to me as a reporter.)

See also:
https://bugzilla.mozilla.org/show_bug.cgi?id=1942241
https://bugzilla.mozilla.org/show_bug.cgi?id=1942877
https://bugzilla.mozilla.org/show_bug.cgi?id=1942879

It would appear this is not the first time something like this happens:
https://bugzilla.mozilla.org/show_bug.cgi?id=1886626

In all those instances, it appears CAs were using problem reporting
mail addresses hosted at Microsoft's email services. It would appear
that Microsoft's spam filter has a tendency to filter mails with
attachments containing private keys or certificates. (Not that this
makes much sense, at least I am not aware of a tendency of spammers to
send private keys or X.509 certificates around.)

Obviously, that is far from ideal, as a problem report containing
certificates and private keys attached is basically the absolute
standard case of certificate problem reporting. I would assume that it
is the CAs responsibility to make sure that they can receive such
problem reports, and make sure their mail service does not operate spam
filters that filter legitimate problem reports.

As far as I know, Microsoft is a CA itself, a CA root program operator,
and part of the CA/Browser forum. I guess Microsoft representatives are
reading this mail. Maybe they want to give helpful advice to their
customers in the CA space how they can configure their mail accounts in
a way that allows using them as a reliable problem reporting mechanism.

--
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
https://badkeys.info/