Last Comment Bug 1334377 - Symantec: Mis-issued test certificates by CrossCert
: Symantec: Mis-issued test certificates by CrossCert
Status: NEW
[ca-incident-response]
:
Product: NSS
Classification: Components
Component: CA Certificate Mis-Issuance (show other bugs)
: other
: Unspecified Unspecified
-- normal (vote)
: ---
Assigned To: Kathleen Wilson
:
: Kathleen Wilson
Mentors:
Depends on:
Blocks: 1099311
  Show dependency treegraph
 
Reported: 2017-01-26 21:32 PST by Kathleen Wilson
Modified: 2017-05-15 14:09 PDT (History)
9 users (show)
patrickt: needinfo? (patrickt)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Symantec Certificate Problem Report Jan 26 2017.pdf (58.15 KB, application/pdf)
2017-01-26 21:34 PST, Kathleen Wilson
no flags Details
Report of Independent Accountant - Certisign (353.25 KB, application/pdf)
2017-01-30 19:43 PST, Steven Medin
no flags Details
CERTSUPERIOR 2016 WebTrust (2.29 MB, application/pdf)
2017-01-30 19:44 PST, Steven Medin
no flags Details
Deloitte Point in Time Certsuperior (116.34 KB, application/pdf)
2017-01-30 19:44 PST, Steven Medin
no flags Details
Deloitte Certsuperior Annex A (236.42 KB, application/pdf)
2017-01-30 19:45 PST, Steven Medin
no flags Details
Symantec Responses to Misissuance Questions Jan 30 2017 (46.13 KB, application/pdf)
2017-01-30 19:46 PST, Steven Medin
no flags Details
Symantec Second Response to Misissuance Questions - Feb 12 2017 (69.96 KB, application/pdf)
2017-02-12 07:24 PST, Steven Medin
no flags Details
Symantec Third Response to Misissuance Questions Feb 17 2017 (72.11 KB, application/pdf)
2017-02-17 20:29 PST, Steven Medin
no flags Details
Symantec Fourth Response to Misissuance Questions Mar 3 2017 (24.56 KB, application/pdf)
2017-03-03 13:08 PST, Steven Medin
no flags Details
All Audits (8.20 MB, application/zip)
2017-03-03 13:09 PST, Steven Medin
no flags Details
Certisign CY2012 WTCA (150.92 KB, application/pdf)
2017-04-10 08:01 PDT, Steven Medin
no flags Details
CrossCert 2015-2016 WTBR Audit (102.08 KB, application/pdf)
2017-04-10 08:02 PDT, Steven Medin
no flags Details
Certsuperior 5-2015 4-2016 Corrected Scope (4.47 MB, application/pdf)
2017-04-10 15:59 PDT, Steven Medin
no flags Details
Mozilla Feedback Consolidated Responses (123.77 KB, application/pdf)
2017-04-20 16:52 PDT, Steven Medin
no flags Details
Aetna WTCA 2015 (401.02 KB, application/pdf)
2017-05-12 15:32 PDT, Steven Medin
no flags Details
Aetna WTBR 2015 (268.79 KB, application/pdf)
2017-05-12 15:33 PDT, Steven Medin
no flags Details
Symantec Response to Further Questions from Mozilla (75.06 KB, application/pdf)
2017-05-15 08:06 PDT, Steven Medin
no flags Details
SSP PROF Common Policy v1.7 (1.81 MB, application/pdf)
2017-05-15 14:09 PDT, Steven Medin
no flags Details

Description User image Kathleen Wilson 2017-01-26 21:32:49 PST
From
https://groups.google.com/d/msg/mozilla.dev.security.policy/fyJ3EK2YOP8/yvjS5leYCAAJ

I. Misissued certificates for example.com

On 2016-07-14, Symantec misissued the following certificates for example.com:

        https://crt.sh/?sha256=A8F14F52CC1282D7153A13316E7DA39E6AE37B1A10C16288B9024A9B9DC3C4C6
        https://crt.sh/?sha256=8B5956C57FDCF720B6907A4B1BC8CA2E46CD90EAD5C061A426CF48A6117BFBFA
        https://crt.sh/?sha256=94482136A1400BC3A1136FECA3E79D4D200E03DD20B245D19F0E78B5679EAF48
        https://crt.sh/?sha256=C69AB04C1B20E6FC7861C67476CADDA1DAE7A8DCF6E23E15311C2D2794BFCD11

I confirmed with ICANN, the owner of example.com, that they did not
authorize these certificates.  These certificates were already revoked
at the time I found them.


II. Suspicious certificates for domains containing the word "test"

On 2016-11-15 and 2016-10-26, Symantec issued certificates for various
domains containing the word "test" which I strongly suspect were
misissued:

        https://crt.sh/?sha256=b81f339b971eb763cfc686adbac5c164b89ad03f8afb55da9604fd0d416bbd21
        https://crt.sh/?sha256=f45d090e1bf24738a8e86734aa7acf7c9e65b619eb19660b1f73c9973f11b841
        https://crt.sh/?sha256=bcbc26c9e06c4fe1c9e4d55fa27a501c504ea84e23e114b8ac004f7c0776cd0b
        https://crt.sh/?sha256=f0935ce297419cc148bde49a7a123f2b2419cdd52df8e7f49e7bba07fe872559
        https://crt.sh/?sha256=3601ab49034e69d6e2137a80e511a0640252f444b75d6baca7bf4672c35652a5

I have not attempted to contact the owners of these domains for
confirmation, as doing so is probably not feasible (many of the domains
are owned by squatters).  However, the following facts lead to me to
believe that these certificates were misissued:

1. The subject DNs contain clearly bogus values, such as:

        C=KR, ST=1, L=1, O=12, OU=1
        C=KR, ST=1, L=1, O=1, OU=1
        C=KR, ST=1, L=1, O=12, OU=1
        C=KR, ST=Test1, L=Test, O=Test

Note that the misissued example.com certificates also contain C=KR in
their subjects.

2. The third certificate in the list above contains a SAN for
DNS:*.crosscert.com - note that three of the misissued example.com
certificates contain "Crosscert" in their Subject Organization.

3. None of these certificates have been observed in the wild by Censys.
The live certificate for www.test.com was issued by Network Solutions.

4. The first two certificates in the list above both contain DNS SANs
for *all* of the following domains:

        test.com
        test1.com
        test2.com
        test3.com
        test4.com
        test5.com
        test6.com
        test7.com
        test8.com
        test9.com
        test11.com

With the exception of test4.com and test8.com, these domains are
registered to different entities and appear to be wholly unrelated with
one another in both ownership and operation.  It is unlikely that the
owners of these domains would collaborate to authorize these
certificates.

These certificates were already revoked at the time I found them.


III. Certificates with O=Test

Finally, Symantec has issued a large number of certificates with the
following attributes in the Subject:

        C=KR, ST=test, L=test, O=test, OU=test

e.g.:

        https://crt.sh/?sha256=09AECE5B94BBB8A9EE2152FA6FB7261630124918DA015EB3571508EF6D31DD30
        https://crt.sh/?sha256=CC0A2AE0EF5B1A6CF242D7B4C77AC9F05B49494B42C8486B47804874734CFC1C
        https://crt.sh/?sha256=F177AC0064167354025CE12B3914A0E056628DD31152B5DF22E41913FC9D9B45
        https://crt.sh/?sha256=DA7B1D433C071DA7A389EE2A4CAB854B89E441277B41E608F05FB7C7C6B2A761

For more, see:

        https://crt.sh/?O=test

I doubt there is an organization named "test" located in "test, Korea."

Regards,
Andrew
Comment 1 User image Kathleen Wilson 2017-01-26 21:34:31 PST
Created attachment 8831038 [details]
Symantec Certificate Problem Report Jan 26 2017.pdf

Update provided by Symantec.
Comment 2 User image Steven Medin 2017-01-30 19:43:23 PST
Created attachment 8831929 [details]
Report of Independent Accountant - Certisign
Comment 3 User image Steven Medin 2017-01-30 19:44:04 PST
Created attachment 8831930 [details]
CERTSUPERIOR 2016 WebTrust
Comment 4 User image Steven Medin 2017-01-30 19:44:52 PST
Created attachment 8831931 [details]
Deloitte Point in Time Certsuperior
Comment 5 User image Steven Medin 2017-01-30 19:45:26 PST
Created attachment 8831932 [details]
Deloitte Certsuperior Annex A
Comment 6 User image Steven Medin 2017-01-30 19:46:04 PST
Created attachment 8831933 [details]
Symantec Responses to Misissuance Questions Jan 30 2017
Comment 7 User image Steven Medin 2017-02-12 07:24:49 PST
Created attachment 8836487 [details]
Symantec Second Response to Misissuance Questions - Feb 12 2017
Comment 8 User image Steven Medin 2017-02-17 20:29:59 PST
Created attachment 8838825 [details]
Symantec Third Response to Misissuance Questions Feb 17 2017
Comment 9 User image Steven Medin 2017-03-03 13:08:38 PST
Created attachment 8843448 [details]
Symantec Fourth Response to Misissuance Questions Mar 3 2017
Comment 10 User image Steven Medin 2017-03-03 13:09:48 PST
Created attachment 8843449 [details]
All Audits
Comment 12 User image Steven Medin 2017-04-10 08:01:54 PDT
Created attachment 8856531 [details]
Certisign CY2012 WTCA

Certisign's CY2012 WTCA audit
Comment 13 User image Steven Medin 2017-04-10 08:02:56 PDT
Created attachment 8856532 [details]
CrossCert 2015-2016 WTBR Audit

WebTrust SSL Baseline for CrossCert 7/2015-6/2016
Comment 14 User image Steven Medin 2017-04-10 15:59:49 PDT
Created attachment 8856742 [details]
Certsuperior 5-2015 4-2016 Corrected Scope

Previously posted Deloitte audit of Certsuperior incorrectly stated scope as WT SSL Baseline only.
Comment 15 User image Steven Medin 2017-04-20 16:52:17 PDT
Created attachment 8860216 [details]
Mozilla Feedback Consolidated Responses
Comment 16 User image Steven Medin 2017-05-12 15:32:34 PDT
Created attachment 8867397 [details]
Aetna WTCA 2015
Comment 17 User image Steven Medin 2017-05-12 15:33:04 PDT
Created attachment 8867398 [details]
Aetna WTBR 2015
Comment 18 User image Steven Medin 2017-05-15 08:06:36 PDT
Created attachment 8867735 [details]
Symantec Response to Further Questions from Mozilla
Comment 19 User image Steven Medin 2017-05-15 14:09:18 PDT
Created attachment 8867892 [details]
SSP PROF Common Policy v1.7

Note You need to log in before you can comment on or make changes to this bug.