info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
DigiCert ROCA fingerprint incident report
184 views
Skip to first unread message
Jeremy Rowley
Nov 7, 2017, 1:21:36 PM11/7/17
to mozilla-dev-s...@lists.mozilla.org
Hey everyone,
Here's the DigiCert incident report about the ROCA fingerprints. Note that
these were all issued by Symantec (ie, before the transaction closed).
We became aware of the issue when it was posted to the mailing list.
However, at that time, the certs were not operated by DigiCert. We became
aware that DigiCert needed to take action on close (Nov 1). At that time,
the new combined team launched an investigation to determine the impacted
certs. Six certs were identified and revoked:
4a907fbfc90eb043c50c9c8ace6305a1
8008c178d0d4cd3d79acc09f6ac132c
2dab9a2d40a2f55c5d705551cf7cafe5
306b67f5c25ee0fd495d2be88979eb72
7c7b826b183093ba1e5b9850ac31d806
4c834767e44ecbd0cdef8e60c04dcf32
These certs were all revoked around Nov 3, within 24 hours of identifying
the impacted certs at DigiCert.
Jeremy
Here's the DigiCert incident report about the ROCA fingerprints. Note that
these were all issued by Symantec (ie, before the transaction closed).
We became aware of the issue when it was posted to the mailing list.
However, at that time, the certs were not operated by DigiCert. We became
aware that DigiCert needed to take action on close (Nov 1). At that time,
the new combined team launched an investigation to determine the impacted
certs. Six certs were identified and revoked:
4a907fbfc90eb043c50c9c8ace6305a1
8008c178d0d4cd3d79acc09f6ac132c
2dab9a2d40a2f55c5d705551cf7cafe5
306b67f5c25ee0fd495d2be88979eb72
7c7b826b183093ba1e5b9850ac31d806
4c834767e44ecbd0cdef8e60c04dcf32
These certs were all revoked around Nov 3, within 24 hours of identifying
the impacted certs at DigiCert.
Jeremy
Alex Gaynor
Nov 7, 2017, 1:23:30 PM11/7/17
to Jeremy Rowley, mozilla-dev-s...@lists.mozilla.org
Hi Jeremy,
Have all these certificates been submitted to CT?
Thanks!
Alex
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
Have all these certificates been submitted to CT?
Thanks!
Alex
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
Jeremy Rowley
Nov 7, 2017, 1:27:49 PM11/7/17
to Alex Gaynor, mozilla-dev-s...@lists.mozilla.org
I believe so – I asked that they all be logged, but I’ll need to double check whether it got done.
From: Alex Gaynor [mailto:aga...@mozilla.com]
Sent: Tuesday, November 7, 2017 11:23 AM
To: Jeremy Rowley <jeremy...@digicert.com>
Cc: mozilla-dev-s...@lists.mozilla.org
Subject: Re: DigiCert ROCA fingerprint incident report
Hi Jeremy,
Have all these certificates been submitted to CT?
Thanks!
Alex
https://lists.mozilla.org/listinfo/dev-security-policy
From: Alex Gaynor [mailto:aga...@mozilla.com]
Sent: Tuesday, November 7, 2017 11:23 AM
To: Jeremy Rowley <jeremy...@digicert.com>
Cc: mozilla-dev-s...@lists.mozilla.org
Subject: Re: DigiCert ROCA fingerprint incident report
Hi Jeremy,
Have all these certificates been submitted to CT?
Thanks!
Alex
On Tue, Nov 7, 2017 at 1:20 PM, Jeremy Rowley via dev-security-policy <dev-secur...@lists.mozilla.org <mailto:dev-secur...@lists.mozilla.org> > wrote:
Hey everyone,
Here's the DigiCert incident report about the ROCA fingerprints. Note that
these were all issued by Symantec (ie, before the transaction closed).
We became aware of the issue when it was posted to the mailing list.
However, at that time, the certs were not operated by DigiCert. We became
aware that DigiCert needed to take action on close (Nov 1). At that time,
the new combined team launched an investigation to determine the impacted
certs. Six certs were identified and revoked:
4a907fbfc90eb043c50c9c8ace6305a1
8008c178d0d4cd3d79acc09f6ac132c
2dab9a2d40a2f55c5d705551cf7cafe5
306b67f5c25ee0fd495d2be88979eb72
7c7b826b183093ba1e5b9850ac31d806
4c834767e44ecbd0cdef8e60c04dcf32
These certs were all revoked around Nov 3, within 24 hours of identifying
the impacted certs at DigiCert.
Jeremy
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org <mailto:dev-secur...@lists.mozilla.org>
Hey everyone,
Here's the DigiCert incident report about the ROCA fingerprints. Note that
these were all issued by Symantec (ie, before the transaction closed).
We became aware of the issue when it was posted to the mailing list.
However, at that time, the certs were not operated by DigiCert. We became
aware that DigiCert needed to take action on close (Nov 1). At that time,
the new combined team launched an investigation to determine the impacted
certs. Six certs were identified and revoked:
4a907fbfc90eb043c50c9c8ace6305a1
8008c178d0d4cd3d79acc09f6ac132c
2dab9a2d40a2f55c5d705551cf7cafe5
306b67f5c25ee0fd495d2be88979eb72
7c7b826b183093ba1e5b9850ac31d806
4c834767e44ecbd0cdef8e60c04dcf32
These certs were all revoked around Nov 3, within 24 hours of identifying
the impacted certs at DigiCert.
Jeremy
_______________________________________________
dev-security-policy mailing list
https://lists.mozilla.org/listinfo/dev-security-policy
Kurt Roeckx
Nov 7, 2017, 1:39:08 PM11/7/17
to Jeremy Rowley, mozilla-dev-s...@lists.mozilla.org
Hi,
What I miss is what has been done to prevent new ones from being
issued.
Kurt
On Tue, Nov 07, 2017 at 06:20:53PM +0000, Jeremy Rowley via dev-security-policy wrote:
> Hey everyone,
>
>
>
> Here's the DigiCert incident report about the ROCA fingerprints. Note that
> these were all issued by Symantec (ie, before the transaction closed).
>
>
>
> We became aware of the issue when it was posted to the mailing list.
> However, at that time, the certs were not operated by DigiCert. We became
> aware that DigiCert needed to take action on close (Nov 1). At that time,
> the new combined team launched an investigation to determine the impacted
> certs. Six certs were identified and revoked:
>
>
>
>
> 4a907fbfc90eb043c50c9c8ace6305a1
>
>
> 8008c178d0d4cd3d79acc09f6ac132c
>
>
> 2dab9a2d40a2f55c5d705551cf7cafe5
>
>
> 306b67f5c25ee0fd495d2be88979eb72
>
>
> 7c7b826b183093ba1e5b9850ac31d806
>
>
> 4c834767e44ecbd0cdef8e60c04dcf32
>
>
>
> These certs were all revoked around Nov 3, within 24 hours of identifying
> the impacted certs at DigiCert.
>
>
>
> Jeremy
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
What I miss is what has been done to prevent new ones from being
issued.
Kurt
On Tue, Nov 07, 2017 at 06:20:53PM +0000, Jeremy Rowley via dev-security-policy wrote:
> Hey everyone,
>
>
>
> Here's the DigiCert incident report about the ROCA fingerprints. Note that
> these were all issued by Symantec (ie, before the transaction closed).
>
>
>
> We became aware of the issue when it was posted to the mailing list.
> However, at that time, the certs were not operated by DigiCert. We became
> aware that DigiCert needed to take action on close (Nov 1). At that time,
> the new combined team launched an investigation to determine the impacted
> certs. Six certs were identified and revoked:
>
>
>
>
> 4a907fbfc90eb043c50c9c8ace6305a1
>
>
> 8008c178d0d4cd3d79acc09f6ac132c
>
>
> 2dab9a2d40a2f55c5d705551cf7cafe5
>
>
> 306b67f5c25ee0fd495d2be88979eb72
>
>
> 7c7b826b183093ba1e5b9850ac31d806
>
>
> 4c834767e44ecbd0cdef8e60c04dcf32
>
>
>
> These certs were all revoked around Nov 3, within 24 hours of identifying
> the impacted certs at DigiCert.
>
>
>
> Jeremy
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
Jeremy Rowley
Nov 7, 2017, 1:40:58 PM11/7/17
to Kurt Roeckx, mozilla-dev-s...@lists.mozilla.org
Yeah - still trying to get that info. I'll update this list right when I
know what's been done. I'm not 100% sure at this point, but I wanted to
post early and update than wait until I know everything. Sorry - should
have specified that in the original email.
-----Original Message-----
From: Kurt Roeckx [mailto:ku...@roeckx.be]
Sent: Tuesday, November 7, 2017 11:38 AM
To: Jeremy Rowley <jeremy...@digicert.com>
Cc: mozilla-dev-s...@lists.mozilla.org
Subject: Re: DigiCert ROCA fingerprint incident report
> https://clicktime.symantec.com/a/1/ac3GKpOQNNTUgvdrINCg5TSocQpoIoCYQJm
> i6wdzR6s=?d=x6aCRo4VfXwciHJ72iOM_J1K3cmxLlV0aGOHiskoYAX0y17Wq9rBdSq-bg
> 4GrKAujQl5VZlxkGBYh01ZXYr8EygG-dNtE90f1YxT_GtuW58TCPLm7Mzjb03dlIVjjY5-
> Rjwup4G6ykol-8HJAhLROxtb1Gda2q-q68_5E0-B8lD0Vce3ByqdfnbDVs8EMtgtnbEqDO
> 6mDPSrslcUjJVelIOpVaxXMdNiBwpMKzmrMdj_V1r1S7QZYgVhUMqQIdLCSpsF3J_80G4P
> 0pGEj80fNBSwYUExVrYXgahNhnXwZBZ2uStpa7rDf1Za_6AmZUyOBJKYnpBkOQOvL_7APz
> 7ZWMYjlryr5kvZwlfwT2ceDE2ZfuZyVEaDmygE8KnF&u=https%3A%2F%2Flists.mozil
> la.org%2Flistinfo%2Fdev-security-policy
know what's been done. I'm not 100% sure at this point, but I wanted to
post early and update than wait until I know everything. Sorry - should
have specified that in the original email.
-----Original Message-----
From: Kurt Roeckx [mailto:ku...@roeckx.be]
Sent: Tuesday, November 7, 2017 11:38 AM
To: Jeremy Rowley <jeremy...@digicert.com>
Cc: mozilla-dev-s...@lists.mozilla.org
Subject: Re: DigiCert ROCA fingerprint incident report
> i6wdzR6s=?d=x6aCRo4VfXwciHJ72iOM_J1K3cmxLlV0aGOHiskoYAX0y17Wq9rBdSq-bg
> 4GrKAujQl5VZlxkGBYh01ZXYr8EygG-dNtE90f1YxT_GtuW58TCPLm7Mzjb03dlIVjjY5-
> Rjwup4G6ykol-8HJAhLROxtb1Gda2q-q68_5E0-B8lD0Vce3ByqdfnbDVs8EMtgtnbEqDO
> 6mDPSrslcUjJVelIOpVaxXMdNiBwpMKzmrMdj_V1r1S7QZYgVhUMqQIdLCSpsF3J_80G4P
> 0pGEj80fNBSwYUExVrYXgahNhnXwZBZ2uStpa7rDf1Za_6AmZUyOBJKYnpBkOQOvL_7APz
> 7ZWMYjlryr5kvZwlfwT2ceDE2ZfuZyVEaDmygE8KnF&u=https%3A%2F%2Flists.mozil
> la.org%2Flistinfo%2Fdev-security-policy
Jeremy Rowley
Nov 7, 2017, 2:03:49 PM11/7/17
to Jeremy Rowley, Kurt Roeckx, mozilla-dev-s...@lists.mozilla.org
More info (that was sent to me a while ago, I just missed the report):
There we actually seven. I missed this one:
Serial: "a18e9"
We installed a patch to stop accepting ROCA keys for TLS certs on
2017-10-26. A patch for code signing and email certs is coming shortly.
Once that patch is installed, we will repeat our scans for any additional
vulnerable certificates that were issued in the interim.
There we actually seven. I missed this one:
Serial: "a18e9"
We installed a patch to stop accepting ROCA keys for TLS certs on
2017-10-26. A patch for code signing and email certs is coming shortly.
Once that patch is installed, we will repeat our scans for any additional
vulnerable certificates that were issued in the interim.
Rob Stradling
Nov 8, 2017, 7:04:44 AM11/8/17
to Jeremy Rowley, Alex Gaynor, mozilla-dev-s...@lists.mozilla.org
I see all 7 of the certs identified in this thread in crt.sh:
Serial number: 4a907fbfc90eb043c50c9c8ace6305a1
SAN->dNSName: [www.]asik-portal.com
https://crt.sh/?id=13734110
Serial number: 8008c178d0d4cd3d79acc09f6ac132c
SAN->dNSName: *.Thameswater.co.uk
https://crt.sh/?id=249452540
Serial number: 2dab9a2d40a2f55c5d705551cf7cafe5
SAN->dNSName: *.thameswater.co.uk
https://crt.sh/?id=249452542
Serial number: 306b67f5c25ee0fd495d2be88979eb72
SAN->dNSName: *.thameswater.co.uk
https://crt.sh/?id=249452543
Serial number: 7c7b826b183093ba1e5b9850ac31d806
SAN->dNSName: *.thameswater.co.uk
https://crt.sh/?id=249452544
Serial number: 4c834767e44ecbd0cdef8e60c04dcf32
SAN->dNSName: r02s06.nex.yahoo.com
https://crt.sh/?id=153622290
Serial number: a18e9
Domain name: [www.]vwiscada.com
https://crt.sh/?id=42223834
On 07/11/17 18:27, Jeremy Rowley via dev-security-policy wrote:
> I believe so – I asked that they all be logged, but I’ll need to double check whether it got done.
>
>
>
> From: Alex Gaynor [mailto:aga...@mozilla.com]
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Serial number: 4a907fbfc90eb043c50c9c8ace6305a1
SAN->dNSName: [www.]asik-portal.com
https://crt.sh/?id=13734110
Serial number: 8008c178d0d4cd3d79acc09f6ac132c
SAN->dNSName: *.Thameswater.co.uk
https://crt.sh/?id=249452540
Serial number: 2dab9a2d40a2f55c5d705551cf7cafe5
SAN->dNSName: *.thameswater.co.uk
https://crt.sh/?id=249452542
Serial number: 306b67f5c25ee0fd495d2be88979eb72
SAN->dNSName: *.thameswater.co.uk
https://crt.sh/?id=249452543
Serial number: 7c7b826b183093ba1e5b9850ac31d806
SAN->dNSName: *.thameswater.co.uk
https://crt.sh/?id=249452544
Serial number: 4c834767e44ecbd0cdef8e60c04dcf32
SAN->dNSName: r02s06.nex.yahoo.com
https://crt.sh/?id=153622290
Serial number: a18e9
Domain name: [www.]vwiscada.com
https://crt.sh/?id=42223834
On 07/11/17 18:27, Jeremy Rowley via dev-security-policy wrote:
> I believe so – I asked that they all be logged, but I’ll need to double check whether it got done.
>
>
>
> From: Alex Gaynor [mailto:aga...@mozilla.com]
> Sent: Tuesday, November 7, 2017 11:23 AM
> To: Jeremy Rowley <jeremy...@digicert.com>
> Cc: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: DigiCert ROCA fingerprint incident report
>
>
>
> To: Jeremy Rowley <jeremy...@digicert.com>
> Cc: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: DigiCert ROCA fingerprint incident report
>
>
>
> Hi Jeremy,
>
>
>
> Have all these certificates been submitted to CT?
>
>
>
> Thanks!
>
> Alex
>
>
>
>
>
>
> Have all these certificates been submitted to CT?
>
>
>
> Thanks!
>
> Alex
>
>
>
> On Tue, Nov 7, 2017 at 1:20 PM, Jeremy Rowley via dev-security-policy <dev-secur...@lists.mozilla.org <mailto:dev-secur...@lists.mozilla.org> > wrote:
>
> Hey everyone,
>
>
>
> Here's the DigiCert incident report about the ROCA fingerprints. Note that
> these were all issued by Symantec (ie, before the transaction closed).
>
>
>
> We became aware of the issue when it was posted to the mailing list.
> However, at that time, the certs were not operated by DigiCert. We became
> aware that DigiCert needed to take action on close (Nov 1). At that time,
> the new combined team launched an investigation to determine the impacted
> certs. Six certs were identified and revoked:
>
>
>
>
> 4a907fbfc90eb043c50c9c8ace6305a1
>
>
> 8008c178d0d4cd3d79acc09f6ac132c
>
>
> 2dab9a2d40a2f55c5d705551cf7cafe5
>
>
> 306b67f5c25ee0fd495d2be88979eb72
>
>
> 7c7b826b183093ba1e5b9850ac31d806
>
>
> 4c834767e44ecbd0cdef8e60c04dcf32
>
>
>
> These certs were all revoked around Nov 3, within 24 hours of identifying
> the impacted certs at DigiCert.
>
>
>
> Jeremy
--
>
> Hey everyone,
>
>
>
> Here's the DigiCert incident report about the ROCA fingerprints. Note that
> these were all issued by Symantec (ie, before the transaction closed).
>
>
>
> We became aware of the issue when it was posted to the mailing list.
> However, at that time, the certs were not operated by DigiCert. We became
> aware that DigiCert needed to take action on close (Nov 1). At that time,
> the new combined team launched an investigation to determine the impacted
> certs. Six certs were identified and revoked:
>
>
>
>
> 4a907fbfc90eb043c50c9c8ace6305a1
>
>
> 8008c178d0d4cd3d79acc09f6ac132c
>
>
> 2dab9a2d40a2f55c5d705551cf7cafe5
>
>
> 306b67f5c25ee0fd495d2be88979eb72
>
>
> 7c7b826b183093ba1e5b9850ac31d806
>
>
> 4c834767e44ecbd0cdef8e60c04dcf32
>
>
>
> These certs were all revoked around Nov 3, within 24 hours of identifying
> the impacted certs at DigiCert.
>
>
>
> Jeremy
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
0 new messages