Groups keyboard shortcuts have been updated
Dismiss
See shortcuts
d-trust data protection incident
797 views
Skip to first unread message
Amir Omidi (aaomidi)
Jan 19, 2025, 3:38:29 PMJan 19
to dev-secur...@mozilla.org
Hey there!
I came across https://www.d-trust.net/de/newsroom/news/information-datenschutzvorfall-13-januar-2025 recently.
Does anyone know if this impacts their certificate issuance infrastructure as well?
Enrico Entschew
Jan 21, 2025, 3:47:51 PMJan 21
to dev-secur...@mozilla.org, Amir Omidi (aaomidi)
Hi Amir,
At all times, this incident did not impact our certificate issuance infrastructure. The affected data is independent of TLS and/or SMIME certificates.
Best regards,
Enrico Entschew
D-Trust
Hanno Böck
Feb 7, 2025, 4:40:26 AMFeb 7
to Enrico Entschew, dev-secur...@mozilla.org, Amir Omidi (aaomidi)
Hello,
I would like to ask for some clarification here:
On Tue, 21 Jan 2025 12:47:51 -0800 (PST)
Enrico Entschew <e.ent...@d-trust.net> wrote:
> At all times, this incident did not impact our certificate issuance
> infrastructure. The affected data is independent of TLS and/or SMIME
> certificates.
The press release from D-Trust here
https://www.d-trust.net/de/newsroom/news/information-datenschutzvorfall-13-januar-2025
says that the attack only affected https://portal.d-trust.net/
I checked where I would end up when trying to get a TLS certificate
from D-Trust.
I found this page about TLS/SSL certificates:
https://www.d-trust.net/de/loesungen/tls-ssl-zertifikate
When I click on "TLS/SSL-Zertifikat bestellen", I end up at
https://www.d-trust.net/de/bestellen
which gives me two buttons. One is related to E-Health, I would assume
that this is unrelated to TLS certificates. The other one says "Zum
D-Trust-Portal", and if I click on it, I end up
at https://portal.d-trust.net/
This would at least strongly imply to me that portal.d-trust.net is the
place where I would get TLS certificates. Therefore, I would expect
that portal.d-trust.net is part of your certificate issuance
infrastructure.
Can you clarify?
Furthermore, let me say something else about this incident:
In my opinion, this is a posterchild example of how not to deal with
security issues. The whole wording of the press release - putting scare
quotes around "security researcher", etc. - appears to paint this in a
way that makes it sound like the security researcher is the problem,
and not the fact that, apparently, D-Trust had a very embarassing and
easily avoidable security flaw in their infrastructure.
To put it in other words: If a CA reacted like this to an incident
with the security of their certificate issuance, I think we would be
talking about distrusting that CA.
(And for all the others who may not have followed this incident, it
would appear that an anonymous security researcher found a simple IDOR
vulnerability in D-Trust's infrastructure. The researcher decided to
stay anonymous, and has asked the Chaos Computer Club to relay the
information:
https://www.ccc.de/en/updates/2025/dont-trust
Background here is that there is a very unfortunate legal situation in
Germany that can put well-meaning security researchers at risk, even
if they follow responsible disclosure practices. There was recently a
court ruling that confirmed this, you may want to google for "Modern
Solutions" to find more info on that.)
--
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
https://badkeys.info/
I would like to ask for some clarification here:
On Tue, 21 Jan 2025 12:47:51 -0800 (PST)
Enrico Entschew <e.ent...@d-trust.net> wrote:
> At all times, this incident did not impact our certificate issuance
> infrastructure. The affected data is independent of TLS and/or SMIME
> certificates.
https://www.d-trust.net/de/newsroom/news/information-datenschutzvorfall-13-januar-2025
says that the attack only affected https://portal.d-trust.net/
I checked where I would end up when trying to get a TLS certificate
from D-Trust.
I found this page about TLS/SSL certificates:
https://www.d-trust.net/de/loesungen/tls-ssl-zertifikate
When I click on "TLS/SSL-Zertifikat bestellen", I end up at
https://www.d-trust.net/de/bestellen
which gives me two buttons. One is related to E-Health, I would assume
that this is unrelated to TLS certificates. The other one says "Zum
D-Trust-Portal", and if I click on it, I end up
at https://portal.d-trust.net/
This would at least strongly imply to me that portal.d-trust.net is the
place where I would get TLS certificates. Therefore, I would expect
that portal.d-trust.net is part of your certificate issuance
infrastructure.
Can you clarify?
Furthermore, let me say something else about this incident:
In my opinion, this is a posterchild example of how not to deal with
security issues. The whole wording of the press release - putting scare
quotes around "security researcher", etc. - appears to paint this in a
way that makes it sound like the security researcher is the problem,
and not the fact that, apparently, D-Trust had a very embarassing and
easily avoidable security flaw in their infrastructure.
To put it in other words: If a CA reacted like this to an incident
with the security of their certificate issuance, I think we would be
talking about distrusting that CA.
(And for all the others who may not have followed this incident, it
would appear that an anonymous security researcher found a simple IDOR
vulnerability in D-Trust's infrastructure. The researcher decided to
stay anonymous, and has asked the Chaos Computer Club to relay the
information:
https://www.ccc.de/en/updates/2025/dont-trust
Background here is that there is a very unfortunate legal situation in
Germany that can put well-meaning security researchers at risk, even
if they follow responsible disclosure practices. There was recently a
court ruling that confirmed this, you may want to google for "Modern
Solutions" to find more info on that.)
--
Hanno Böck - Independent security researcher
https://itsec.hboeck.de/
https://badkeys.info/
Entschew, Enrico
Feb 12, 2025, 6:38:15 AMFeb 12
to Hanno Böck, dev-secur...@mozilla.org, Amir Omidi (aaomidi)
Hi Hanno,
I have inserted my answers further down in the text --> <-- and hope to contribute to a better understanding.
Thanks,
Enrico
-----Ursprüngliche Nachricht-----
Von: Hanno Böck <ha...@hboeck.de>
Gesendet: Friday, February 7, 2025 10:40 AM
An: Entschew, Enrico <e.ent...@d-trust.net>
Cc: dev-secur...@mozilla.org; Amir Omidi (aaomidi) <am...@aaomidi.com>
Betreff: Re: d-trust data protection incident
Hello,
I would like to ask for some clarification here:
On Tue, 21 Jan 2025 12:47:51 -0800 (PST) Enrico Entschew <e.ent...@d-trust.net> wrote:
> At all times, this incident did not impact our certificate issuance
> infrastructure. The affected data is independent of TLS and/or SMIME
> certificates.
The press release from D-Trust here
https://www.d-trust.net/de/newsroom/news/information-datenschutzvorfall-13-januar-2025
says that the attack only affected https://portal.d-trust.net/
I checked where I would end up when trying to get a TLS certificate from D-Trust.
I found this page about TLS/SSL certificates:
https://www.d-trust.net/de/loesungen/tls-ssl-zertifikate
When I click on "TLS/SSL-Zertifikat bestellen", I end up at https://www.d-trust.net/de/bestellen
which gives me two buttons. One is related to E-Health, I would assume that this is unrelated to TLS certificates. The other one says "Zum D-Trust-Portal", and if I click on it, I end up at https://portal.d-trust.net/
This would at least strongly imply to me that portal.d-trust.net is the place where I would get TLS certificates. Therefore, I would expect that portal.d-trust.net is part of your certificate issuance infrastructure.
Can you clarify?
--> S/MIME and TLS certificates cannot be ordered via the ordering platform "https://portal.d-trust.net/". S/MIME and TLS certificates are requested and provided via the CMP interface, via ACME or via the self-service portal “Certificate Service Manager” (https://mycsm.d-trust.net). S/MIME and TLS certificates can only be requested upon an existing contractual relationship with the applicant – B2B customers are required to identify an employee to be provided with access to the self-service portal. <--
Furthermore, let me say something else about this incident:
In my opinion, this is a posterchild example of how not to deal with security issues. The whole wording of the press release - putting scare quotes around "security researcher", etc. - appears to paint this in a way that makes it sound like the security researcher is the problem, and not the fact that, apparently, D-Trust had a very embarassing and easily avoidable security flaw in their infrastructure.
To put it in other words: If a CA reacted like this to an incident with the security of their certificate issuance, I think we would be talking about distrusting that CA.
(And for all the others who may not have followed this incident, it would appear that an anonymous security researcher found a simple IDOR vulnerability in D-Trust's infrastructure. The researcher decided to stay anonymous, and has asked the Chaos Computer Club to relay the
information:
https://www.ccc.de/en/updates/2025/dont-trust
Background here is that there is a very unfortunate legal situation in Germany that can put well-meaning security researchers at risk, even if they follow responsible disclosure practices. There was recently a court ruling that confirmed this, you may want to google for "Modern Solutions" to find more info on that.)
--> D-Trust is grateful for any information, that helps to improve our products and services. Therefore D-Trust offers a special contact at https://report.whistleb.com/en/bundesdruckerei. This ensures anonymous communication in terms of responsible disclosure practices. In the subject case D-Trust was not contacted here.
We regret the way this case was not disclosed to us at all instead, as we were forced to react accordingly to standard procedures and with all available legal measures in such cases. After discovering the incident by D-Trust itself, D-Trust immediately informed the public as well as affected persons and initiated legal action against persons unknown. The use of our whistleblowing tool or any other communicative action of responsible disclosure to D-Trust immediately after the security researchers discovery would have likely given us the possibility to react in a different way.
For press inquiries we also offer a respective address: pre...@bdr.de <--
I have inserted my answers further down in the text --> <-- and hope to contribute to a better understanding.
Thanks,
Enrico
-----Ursprüngliche Nachricht-----
Von: Hanno Böck <ha...@hboeck.de>
Gesendet: Friday, February 7, 2025 10:40 AM
An: Entschew, Enrico <e.ent...@d-trust.net>
Cc: dev-secur...@mozilla.org; Amir Omidi (aaomidi) <am...@aaomidi.com>
Betreff: Re: d-trust data protection incident
Hello,
I would like to ask for some clarification here:
On Tue, 21 Jan 2025 12:47:51 -0800 (PST) Enrico Entschew <e.ent...@d-trust.net> wrote:
> At all times, this incident did not impact our certificate issuance
> infrastructure. The affected data is independent of TLS and/or SMIME
> certificates.
The press release from D-Trust here
https://www.d-trust.net/de/newsroom/news/information-datenschutzvorfall-13-januar-2025
says that the attack only affected https://portal.d-trust.net/
I checked where I would end up when trying to get a TLS certificate from D-Trust.
I found this page about TLS/SSL certificates:
https://www.d-trust.net/de/loesungen/tls-ssl-zertifikate
When I click on "TLS/SSL-Zertifikat bestellen", I end up at https://www.d-trust.net/de/bestellen
which gives me two buttons. One is related to E-Health, I would assume that this is unrelated to TLS certificates. The other one says "Zum D-Trust-Portal", and if I click on it, I end up at https://portal.d-trust.net/
This would at least strongly imply to me that portal.d-trust.net is the place where I would get TLS certificates. Therefore, I would expect that portal.d-trust.net is part of your certificate issuance infrastructure.
Can you clarify?
Furthermore, let me say something else about this incident:
In my opinion, this is a posterchild example of how not to deal with security issues. The whole wording of the press release - putting scare quotes around "security researcher", etc. - appears to paint this in a way that makes it sound like the security researcher is the problem, and not the fact that, apparently, D-Trust had a very embarassing and easily avoidable security flaw in their infrastructure.
To put it in other words: If a CA reacted like this to an incident with the security of their certificate issuance, I think we would be talking about distrusting that CA.
(And for all the others who may not have followed this incident, it would appear that an anonymous security researcher found a simple IDOR vulnerability in D-Trust's infrastructure. The researcher decided to stay anonymous, and has asked the Chaos Computer Club to relay the
information:
https://www.ccc.de/en/updates/2025/dont-trust
Background here is that there is a very unfortunate legal situation in Germany that can put well-meaning security researchers at risk, even if they follow responsible disclosure practices. There was recently a court ruling that confirmed this, you may want to google for "Modern Solutions" to find more info on that.)
We regret the way this case was not disclosed to us at all instead, as we were forced to react accordingly to standard procedures and with all available legal measures in such cases. After discovering the incident by D-Trust itself, D-Trust immediately informed the public as well as affected persons and initiated legal action against persons unknown. The use of our whistleblowing tool or any other communicative action of responsible disclosure to D-Trust immediately after the security researchers discovery would have likely given us the possibility to react in a different way.
For press inquiries we also offer a respective address: pre...@bdr.de <--
Reply all
Reply to author
Forward
0 new messages