1005653 - Audit certs used by mozilla properties

Status: RESOLVED WONTFIX

(Core :: Security: PSM, defect)

Description

[[:mmc] Monica Chew (no longer reading bugmail)]

So that they can be pinned.

Comment 1

[[:mmc] Monica Chew (no longer reading bugmail)]

Attachment: mozilla.pins

These are everything that match CN or alt names from the CT database.

regexp.Compile("(.*[.])?mozilla[.](com|org|net)")

Comment 2

[Reed Loden [:reed]]

Is somebody, you know, talking to IT about this before pinning sites and breaking Mozilla properties? I worry somebody will screw up and break AUS, causing users to not be able to update at all. :/

Comment 3

[Camilo Viecco (:cviecco)]

(In reply to Reed Loden [:reed] from comment #2)
> Is somebody, you know, talking to IT about this before pinning sites and
> breaking Mozilla properties? I worry somebody will screw up and break AUS,
> causing users to not be able to update at all. :/

AUS will probably be the last pinned entry. And yes we have contacted IT.

Comment 4

[[:mmc] Monica Chew (no longer reading bugmail)]

This is a list of issuers from the CT database for domains matching comment 1. We know that this one is a false positive:

ISSUER:UTN-USERFirst-Hardware


Of the remaining ones, we need to check if any are also false positives. Several are not on the existing pinset (DigiCert SHA2 Secure Server CA, etc.)

ISSUER:DigiCert High Assurance CA-3
ISSUER:DigiCert High Assurance EV CA-1
ISSUER:DigiCert SHA2 Extended Validation Server CA
ISSUER:DigiCert SHA2 Secure Server CA
ISSUER:DigiCert Secure Server CA
ISSUER:GeoTrust Extended Validation SSL CA
ISSUER:GeoTrust SSL CA
ISSUER:GlobalSign Organization Validation CA - G2
ISSUER:RapidSSL CA
ISSUER:Thawte SSL CA
ISSUER:VeriSign Class 3 Extended Validation SSL CA
ISSUER:VeriSign Class 3 Secure Server CA - G3

Comment 5

[Camilo Viecco (:cviecco)]

(In reply to [:mmc] Monica Chew (please use needinfo) from comment #4)
> This is a list of issuers from the CT database for domains matching comment
> 1. We know that this one is a false positive:
> 
> ISSUER:UTN-USERFirst-Hardware
> 
> 
> Of the remaining ones, we need to check if any are also false positives.
> Several are not on the existing pinset (DigiCert SHA2 Secure Server CA, etc.)
> 
> ISSUER:DigiCert High Assurance CA-3
> ISSUER:DigiCert High Assurance EV CA-1
> ISSUER:DigiCert SHA2 Extended Validation Server CA
> ISSUER:DigiCert SHA2 Secure Server CA
> ISSUER:DigiCert Secure Server CA
> ISSUER:GeoTrust Extended Validation SSL CA
> ISSUER:GeoTrust SSL CA
> ISSUER:GlobalSign Organization Validation CA - G2
> ISSUER:RapidSSL CA
> ISSUER:Thawte SSL CA
> ISSUER:VeriSign Class 3 Extended Validation SSL CA
> ISSUER:VeriSign Class 3 Secure Server CA - G3

Can you attach the actual certs or instrunctions on how to get them please?

Comment 6

[[:mmc] Monica Chew (no longer reading bugmail)]

Hi Camilo,

They are in the https://bugzilla.mozilla.org/attachment.cgi?id=8417053

Monica

Comment 7

[Reed Loden [:reed]]

Some of the CAs mentioned in comment #4 are intermediate CAs. That seems dangerous to pin to specific intermediates rather than the roots themselves. Intermediates are not expected to remain the same for long periods of time and can be changed out at every new cert issuance.

Comment 8

[Richard Barnes [:rbarnes]]

Attachment: moz-subject.csv

Certificates from the ZMap HTTPS Ecosystem Survey [1] that match the same regex in mmc's scan of the CT database.  There are ~350 of them.  CSV file, with the structure specified in [2].  Distribution of issuers in this set is as follows:

 119 "C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA"
  43 "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3"
  26 "C=US, O=DigiCert Inc, CN=DigiCert Secure Server CA"
  17 "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV CA-1"
   9 "C=US, O=Equifax, OU=Equifax Secure Certificate Authority"
   7 "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3"
   6 "C=US, O=GeoTrust, Inc., CN=RapidSSL CA"
   5 "C=US, O=GeoTrust Inc, OU=See www.geotrust.com/resources/cps (c)06, CN=GeoTrust Extended Validation SSL CA"
   3 "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA"
   3 "C=US, O=Akamai Technologies Inc, CN=Akamai Subordinate CA 3"
   3 "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - G2"
   2 "C=US, O=Thawte, Inc., CN=Thawte SSL CA"
   2 "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA"
   2 "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA"
   1 "O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA"
   1 "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL CA"
   1 "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=PositiveSSL CA"
   1 "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO High-Assurance Secure Server CA"
   1 "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO High Assurance Secure Server CA"

[1] https://scans.io/study/umich-https
[2] https://scans.io/data/umich/https/schema.txt

Comment 9

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

I'm not sure this is the direction we (as security engineering) should be going. Yes, we want to pin all Mozilla properties, but we should just have ops tell us what to pin to what, rather than attempting to find the relevant issuers ourselves.