Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Entrust-issued certificate with compromised private key.
849 views
Skip to first unread message
teg...@gmail.com
Jan 21, 2020, 9:43:53 AM1/21/20
to mozilla-dev-s...@lists.mozilla.org
About 24 hours ago, this gist was published to Github:
https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9
It details two publicly-trusted certificates whose private keys are present in publicly-available Netgear firmware images.
One - which appears to remain valid at time of writing - is an OV certificate for "routerlogin.com" and variants, which was issued to Netgear by Entrust, https://crt.sh/?id=1955992027
=====
The other, issued by Sectigo/Comodo for "mini-app.funjsq.com" ( https://crt.sh/?id=615809732 ) seems to have been revoked not long after publishing.
Although it has been revoked, I am still personally curious as to how and why Netgear came to be in possession of that latter certificate's private keys in the first place. If funjsq knowingly provided it to Netgear, a closer look at other funjsq-related certificates might be in order. (And if they did not, obviously, there was a deeper and more serious failure somewhere.)
There are a number of certificates issued for funjsq.com subdomains, from a few different CAs: https://crt.sh/?q=funjsq.com
One certificate, although it is expired, piqued my interest when I first saw it: https://crt.sh/?id=325345427 for "asus-plugin.funjsq.com". This subdomain is apparently active, though it is presently served using funjsq's wildcard cert.
-NK
https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9
It details two publicly-trusted certificates whose private keys are present in publicly-available Netgear firmware images.
One - which appears to remain valid at time of writing - is an OV certificate for "routerlogin.com" and variants, which was issued to Netgear by Entrust, https://crt.sh/?id=1955992027
=====
The other, issued by Sectigo/Comodo for "mini-app.funjsq.com" ( https://crt.sh/?id=615809732 ) seems to have been revoked not long after publishing.
Although it has been revoked, I am still personally curious as to how and why Netgear came to be in possession of that latter certificate's private keys in the first place. If funjsq knowingly provided it to Netgear, a closer look at other funjsq-related certificates might be in order. (And if they did not, obviously, there was a deeper and more serious failure somewhere.)
There are a number of certificates issued for funjsq.com subdomains, from a few different CAs: https://crt.sh/?q=funjsq.com
One certificate, although it is expired, piqued my interest when I first saw it: https://crt.sh/?id=325345427 for "asus-plugin.funjsq.com". This subdomain is apparently active, though it is presently served using funjsq's wildcard cert.
-NK
Dathan Demone
Jan 21, 2020, 2:07:14 PM1/21/20
to mozilla-dev-s...@lists.mozilla.org
A third party report incident report has been published here (the same link that was included in the original post to this thread):
https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9
In accordance with our CPS, we immediately contacted the customer to notify them that the certificate must be revoked within 24 hours from the time of notification to Entrust.
The certificate was revoked on January 21st at 10:24 am EST within the 24-hour time frame.
Here is a CT record for the certificate in question which now shows the OCSP status as revoked:
https://crt.sh/?id=1955992027
Benjamin Seidenberg
Jan 21, 2020, 2:07:49 PM1/21/20
to mozilla-dev-s...@lists.mozilla.org
> One - which appears to remain valid at time of writing - is an OV certificate for "routerlogin.com" and variants, which was issued to Netgear by Entrust, https://crt.sh/?id=1955992027
>
Based on this tweet (https://twitter.com/FiloSottile/status/1219147543667453953?s=19) from 2020-01-20 06:39 UTC, it appears that Entrust failed to revoke this within 24 of hours of "receipt of the Certificate Problem Report", not revoking until Jan 21 15:21:36 2020 GMT.
>
Will Entrust be filing an incident report for this?
(I also submitted a report separately, they revoked 7 minutes shy of 24 hours after mine, shortly after this note to the list).
Dathan Demone
Jan 21, 2020, 3:49:30 PM1/21/20
to mozilla-dev-s...@lists.mozilla.org
Dathan Demone
Jan 23, 2020, 2:10:17 PM1/23/20
to mozilla-dev-s...@lists.mozilla.org
0 new messages