Closed
Bug 1301009
Opened 8 years ago
Closed 8 years ago
Adding leaked securelogin.arubanetworks.com certificate to OneCRL
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: freddy, Unassigned)
Details
Sec-Consult found that many appliances contain the same certificate (including the private key) for securelogin.arubanetworks.com. This is widely used for captive portals. The certificate is publicly trusted. Admins can replace the built-in certificate with their own, so we're not breaking captive portals completely. Article: http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html Advisory containing the private key: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160906-0_Aruba_Networks_Browser_trusted_cert_private_key_embedded_v10.txt Additional Certificate Details: https://crt.sh/?id=333422
Comment 1•8 years ago
|
||
For when we have a decision on a blocklist entry, the data should be as follows: issuer: MGExCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMR0wGwYDVQQLExREb21haW4gVmFsaWRhdGVkIFNTTDEbMBkGA1UEAxMSR2VvVHJ1c3QgRFYgU1NMIENB serial: AdpS
Comment 2•8 years ago
|
||
I've asked around, and can't find much incidence of this service being used much in the wild. It seems to be a low-risk situation. As OneCRL isn't intended to be a list of all revoked certificates, I'm marking this WONTFIX. I'm willing to entertain an alternate perspective; I feel like I just need a run-down of how this is dangerous enough to place into OneCRL.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•