--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20230609090430.3a4e8396e6e0b856fc81c6ab%40andrewayer.name.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/528b5350-1a32-4730-8e7b-16644d135274n%40mozilla.org.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/431eb7de-181e-4a32-9d22-3698bc7b0d0bn%40mozilla.org.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0f9174b3-02d6-4ff6-a7fa-3b931375076dn%40mozilla.org.
Mr Seifried,
> Is this really a situation where something extremely suspicious (remote code execution, CA's with multiple entities, some of which don't seem to properly exist, etc.) is going to be swept under the rug with a simple "yeah, we revoked this bad actors certificates, everything is fine"?
We are a reseller, not a physical root CA. This is a widely accepted solution for cross border businesses. We have business accepts online payment, the China users needs pay via alipay or wechat, to sign up the merchant we must have a china company,and foreign needs stripe, merchant must be a non-MainlandChina company. this is not suspicious.*. I represent the above opinion of my company
> If HiCA can do this, how do we know there are not more intermediate/reseller CAs doing this?
Most CA has no necessary to exploiting this RCE, because they can natively compatible with RFC 8555, they can define own CPS and CP, which contains validation policy, we does because we are not CA and can't to provider RFC 8555 ACME endpoint like a CA does. so a physical root CA has no necessary to provide ACME simulation by RCE. and also there're more difficulties for a ssl reseller to provide ACME service which real CAs won't undergo.- CSR stage difference: Most CA's subscriber request process or reseller API process, requires CSR be submitted in the `new-order` API, ACME requires CSR be submitted in `finalize` API. I have a topic in letsencrypt community years ago about this - https://community.letsencrypt.org/t/why-acme-requires-domain-auth-first-before-csr/98482- Challenge difference: Most CA's subscriber request process or reseller API process's DNS validation requires `_<md5>` / `_dnsauth` dnshost, and dnstype possibly CNAME or possibly TXT, But ACME's DNS validation dnshost is constant: `_acme-challenge`, dnstype `TXT`. And in a more deep talk ACME's dnsvalue needs publickey's thumbprint + server token which is totally different than traditional way's dnsvalue.My opinion is community can research how many ACME was publicly provided, and investigate is the provider a physical CA. if is natively compatible with RFC 8555, no worry about that one and continue do investigate next.*. I represent the above opinion of my personal. not my company.Sincere,Bruce.
To be explicit, GTS does not have a business relationship with HiCA.
Normally ACME services have protections against these types of MitM-CAs, but the remote RCE allowed HiCA to bypass these controls [1, 2].
For instance, it is possible HiCA replaced the local client's key authorization during challenge validation with a key authorization provided by HiCA, granting authorization of the domain names to HiCA. HiCA could theoretically use these authorizations to continue to issue certificates for the affected domain names, or revoke the certificates that were issued.
So clients of HiCA should also consider the lasting effects on the the domains in addition to your normal recovery procedures for an RCE. It may be prudent to reissue and revoke any certificates with your choice of CA directly and to watch certificate transparency logs for any future unintended issuance. GTS allows authorization reuse up to 28 days on our ACME endpoint and issues certificates with lifetimes up to 90 days. Other CAs may differ. By the current baseline requirements CAs can issue 398 day certificates and reuse the authorizations for 398 days [3].
--
You received this message because you are subscribed to a topic in the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this topic, visit https://groups.google.com/a/mozilla.org/d/topic/dev-security-policy/heXVr8o83Ys/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0c%3DjQwd035WhDnWJe-BfrKY8Xfxq0_cKUFHDj2W4oWe6-Q%40mail.gmail.com.
Dear members.
I have conducted a background check on HiCA administrator Xiaohui Lam and would like to share the following with you. These findings are for reference only, so please evaluate them for yourself.
First, in 2013, Xiaohui Lam hijacked AFF promotions by exploiting vulnerabilities in Aliyun forums, defrauded hostloc members by installing backdoors in Discuz forum plugins, and stole others' social accounts through leaked data from CSDN [^1].
Second, in 2015, Xiaohui Lam exploited a vulnerability in the GlobalSign system to sell a large number of 5-year wildcard certificates, but all certificates were revoked after they were discovered [^2].
I would like to emphasize that these are past actions of HiCA administrators and I do not think he will repeat the same mistakes again. However, these events show that he is not a developer who knows very little about security. In the past, he has been someone who knew how to mine vulnerabilities, exploit them and commit fraud and threats against customers.
Based on the above findings, I believe we need to take the following steps:
1. Considering that he suggested users to execute his script RCE[^3] with root privileges on his official website, we should send a reminder email to all users who have applied for a certificate, asking them to evaluate whether there is unauthorized code on their machines.
2. the results of the query found that Mr. Lam has two CAs: HiCA and Quantum CA. the website for registration information about Quantum CA is acme.hi.cn. then we need to confirm whether they are using the same infrastructure and whether Quantum CA also uses RCE to issue certificates [^4].
Mr. Lam has shut down HiCA's infrastructure after he was found to be using RCE, but we still need to do a more detailed assessment.
As a member of the community, I believe transparency and trust are vital to us. I hope Mr. Lam will provide the community with a more complete statement and evidence so that the community can evaluate this incident.
[^1]: https://web.archive.org/web/20130816004143/http://bbs.aliyun.com/read.php?tid=144441
--
You received this message because you are subscribed to a topic in the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this topic, visit https://groups.google.com/a/mozilla.org/d/topic/dev-security-policy/heXVr8o83Ys/unsubscribe.
To unsubscribe from this group and all its topics, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEi6wDMyvGa26QOoa4CzqqbW-cYJfWDpJDpxS3e1EaGG1TbOng%40mail.gmail.com.
This is to provide an update on the revocation of the QuantumCA SubCAs. They were all revoked within the required timeframe. Since they were never enabled for ACME, there was never an issue with these SubCAs being used in the HiCA acme.sh RCE client.