Closed Bug 1301009 Opened 8 years ago Closed 8 years ago

Adding leaked securelogin.arubanetworks.com certificate to OneCRL

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: freddy, Unassigned)

Details

Sec-Consult found that many appliances contain the same certificate (including the private key) for securelogin.arubanetworks.com.

This is widely used for captive portals. The certificate is publicly trusted. Admins can replace the built-in certificate with their own, so we're not breaking captive portals completely.



Article: http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html
Advisory containing the private key: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160906-0_Aruba_Networks_Browser_trusted_cert_private_key_embedded_v10.txt
Additional Certificate Details: https://crt.sh/?id=333422
For when we have a decision on a blocklist entry, the data should be as follows:

issuer: MGExCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMR0wGwYDVQQLExREb21haW4gVmFsaWRhdGVkIFNTTDEbMBkGA1UEAxMSR2VvVHJ1c3QgRFYgU1NMIENB
serial: AdpS
I've asked around, and can't find much incidence of this service being used much in the wild. It seems to be a low-risk situation. As OneCRL isn't intended to be a list of all revoked certificates, I'm marking this WONTFIX. 

I'm willing to entertain an alternate perspective; I feel like I just need a run-down of how this is dangerous enough to place into OneCRL.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.