--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/37cff300-b57a-4b38-82e0-a514b4557b07n%40mozilla.org.
I agree that something should be done swiftly. If you did this, who else could have. Also, has the authority been notified, and have they simply changed the passwords yet? Ie could a threat actor watching this list now go there and get into the system after the disclosure
Hi,
We really appreciate the efforts of the reporter in identifying some security issues. At the same time, we are also glad that our customer facing SSL ecosystem is secure and hence not vulnerable to security threats.
It is our internal ecosystem, deploying some other applications than our CA /SSL certificate life cycle system. Right after receiving the email, we made an immediate action to resolve the default password problem. Both SSL and other products have their own separate ecosystems and processes which do not conflict with each other. The logs and email access you got was related to resellers, customers and application processes but not for CA SSL certificate issuance. As claimed in the blog, he was unable to access the DV SSL validation email because a separate CA email validation component is in operation and not accessible to any system.
eTugra CA/SSL ecosystem is pen-tested annually and all the infrastructure changes ensuring the CA/B Network Security Guidelines are in place. We once again want to appreciate you attempting to point out any possible threats as such reports always help reassess our system and come back with extra feel of security.
@Kurt Seifried, on your point (just a few days ago, etugra renewed everything using their own CA, but they also did a lot of them in July/August of this year
We were in the process of inclusion of new Root CAs. We generated both test sub-CAs and test SSL certificates. You can find more details from this link:
https://bugzilla.mozilla.org/show_bug.cgi?id=1628720#c31
An incident report is also published on this link:
https://bugzilla.mozilla.org/show_bug.cgi?id=1801345
In my personal capacity, as I review the published facts that exist here, there are a few broad things from a BR perspective that stand out to me:
All CAs are required to have incident response and compromise handling procedures. The timeline presented in Ian’s post suggests that no such plan exists, the plan that exists is insufficient, or the plan is not staffed.
All CAs are required to perform an annual Risk Assessment. The existence of administrative consoles on the internet, default administrative passwords being in use, and the ability to in an uncontrolled fashion add new administrative users tells us this either is not happening or is being performed by individuals with zero understanding of security.
All CAs are required to perform an annual penetration test. The existence of these trivial issues suggests that either this was not happening or it was being performed by individuals with zero understanding of security.
While PKI-related auditors tend to have a limited understanding of PKI and security, in all my time in this industry they have always demonstrated an understanding of IT accounting principles that would be sufficient to identify these trivial deficiencies.
I would go so far as to say that these are such basic issues the fact that e-Turga has continually been able to acquire a sufficiently clean audit report to stay within the various programs suggests either a disqualifying skill deficiency or an integrity issue related to the auditing firms.
I also think this incident shows that the current root program requirements and BRs are too generous when it comes to trusting CAs to implement reasonable incident response procedures.
Some things that should be considered moving forward include:
Requiring the availability of a documented method for reporting security concerns.
Requiring a minimum response time for the initial response to these reports.
Requiring that the final disposition of these reports be communicated to the reporter.
Requiring that subscribers be notified of any compromises to the certificate management-related systems.
Today only issues related to a security issue requiring revocation of an intermediate or cert chaining to a trusted root require the creation of a bug in Bugzilla, this should be expanded to minimally include compromise of any certificate management-related system.
Requiring that all security incidents be summarized in some reasonable detail and made available in CCADB for root program administrators.
Requiring the identification of who performed the penetration testing, a summary of what was assessed, and a summary fo their findings.
I also believe a common theme in CA failures like these is the lack of qualifications and independence of the auditors and security professionals used to assess the correctness and conformance of the systems.
I don’t know how best to address this but this incident also seems to suggest that the requirement to use a “qualified auditor” and penetration testers with the “skills, tools, proficiency, code of ethics, and independence” is not sufficient.
Ryan Hurst
(Personal Capacity)
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/cc07165b-31bd-4e2d-a96b-e4b6d9611445n%40mozilla.org.
>There are many statements about M of N, HSM access, etc which do not appear
>to be relevant to this issue.
That's not specific to e-Tughra though, that's standard for CAs where what
gets audited is all the fancy security mechanisms around the CA's private
key(s) and what barely, or not at all, gets audited is the various RAs that
pull the CA's strings.
Years ago I saw a cartoon lampooning a certain country's defence policy which
had lifeguard-style flags set up on a piece of open ground and a sign between
them saying "Please attack between the flags". With CA's it'd be "please
audit between the flags".
Not defending or criticising e-Tughra, just pointing out that this isn't their
fault, it's How CAs Are Done.
Peter.
This thread and associated bug have been silent for an uncharacteristically long time, and I am curious as to when this issue will be closed.
Furthermore, I would like to understand what changes will be put into place to clarify appropriate incident handling behavior. It is important that Mozilla establishes a clear protocol for handling security incidents and communicates this effectively to all participants.
I am also curious in how Mozilla will choose to interpret the facts that have been made available. The way in which this incident is handled will establish a precedent for future security incidents, and it is important that Mozilla approaches this with a clear and consistent stance.
Ryan Hurst
This thread and associated bug have been silent for an uncharacteristically long time, and I am curious as to when this issue will be closed.
Furthermore, I would like to understand what changes will be put into place to clarify appropriate incident handling behavior. It is important that Mozilla establishes a clear protocol for handling security incidents and communicates this effectively to all participants.
I am also curious in how Mozilla will choose to interpret the facts that have been made available. The way in which this incident is handled will establish a precedent for future security incidents, and it is important that Mozilla approaches this with a clear and consistent stance.
Ryan Hurst
On Monday, November 28, 2022 at 2:52:47 AM UTC-8 Peter Gutmann wrote:Ian Carroll <i...@ian.sh> writes:>There are many statements about M of N, HSM access, etc which do not appear
>to be relevant to this issue.That's not specific to e-Tughra though, that's standard for CAs where what
gets audited is all the fancy security mechanisms around the CA's private
key(s) and what barely, or not at all, gets audited is the various RAs that
pull the CA's strings.Years ago I saw a cartoon lampooning a certain country's defence policy which
had lifeguard-style flags set up on a piece of open ground and a sign between
them saying "Please attack between the flags". With CA's it'd be "please
audit between the flags".Not defending or criticising e-Tughra, just pointing out that this isn't their
fault, it's How CAs Are Done.Peter.
This thread and associated bug have been silent for an uncharacteristically long time, and I am curious as to when this issue will be closed.
Furthermore, I would like to understand what changes will be put into place to clarify appropriate incident handling behavior. It is important that Mozilla establishes a clear protocol for handling security incidents and communicates this effectively to all participants.
I am also curious in how Mozilla will choose to interpret the facts that have been made available. The way in which this incident is handled will establish a precedent for future security incidents, and it is important that Mozilla approaches this with a clear and consistent stance.
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ff8b9a97-7088-4465-9104-eaf665d38147n%40mozilla.org.
All,
We’d like to extend our appreciation to Ian Carroll for reporting this issue to us, and for Ian’s continued availability during the incident’s discussion (both here and on Bugzilla).
After full consideration of the available information related to the vulnerabilities disclosed at https://ian.sh/etugra, including that of incident reports and other public responses, we have decided that in order to appropriately protect and safeguard Chrome users, the following e-Tugra Root CA certificates will be removed from the Chrome Root Store:
Most Chrome users will automatically receive these updates via Component Updater immediately after publication of Version 11 of the Chrome Root Store (expected no later than June 15, 2023). In the event that a Chrome user has disabled Component Updater, these changes will be enabled by default beginning in Chrome Version 115 (stable release approximately July 18, 2023). No additional Chrome user action is required.
We only observe test certificates chaining to the roots listed above (examples [1], [2], and [3]). Consequently, it is our understanding that there is no impact to e-Tugra subscribers or Chrome users as a result of this change.
We may take further action, or accelerate the timeline described above, as additional information becomes available to us.
- Ryan
On behalf of the Chrome Root Program
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-JgfmFu_9H4Bic6eC2ZnKA8wSG5aewyUH06CC49CjSkA%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "CCADB Public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to public+un...@ccadb.org.
To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/CABqVa39akV6CjPTfBr8oKumv6Q%2B5Tw8%2BWCME38-fhQLx7C%3DHJQ%40mail.gmail.com.