Closed
Bug 1005653
Opened 10 years ago
Closed 8 years ago
Audit certs used by mozilla properties
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: mmc, Unassigned)
References
Details
Attachments
(2 files)
So that they can be pinned.
Reporter | ||
Comment 1•10 years ago
|
||
These are everything that match CN or alt names from the CT database. regexp.Compile("(.*[.])?mozilla[.](com|org|net)")
Comment 2•10 years ago
|
||
Is somebody, you know, talking to IT about this before pinning sites and breaking Mozilla properties? I worry somebody will screw up and break AUS, causing users to not be able to update at all. :/
Comment 3•10 years ago
|
||
(In reply to Reed Loden [:reed] from comment #2) > Is somebody, you know, talking to IT about this before pinning sites and > breaking Mozilla properties? I worry somebody will screw up and break AUS, > causing users to not be able to update at all. :/ AUS will probably be the last pinned entry. And yes we have contacted IT.
Reporter | ||
Comment 4•10 years ago
|
||
This is a list of issuers from the CT database for domains matching comment 1. We know that this one is a false positive: ISSUER:UTN-USERFirst-Hardware Of the remaining ones, we need to check if any are also false positives. Several are not on the existing pinset (DigiCert SHA2 Secure Server CA, etc.) ISSUER:DigiCert High Assurance CA-3 ISSUER:DigiCert High Assurance EV CA-1 ISSUER:DigiCert SHA2 Extended Validation Server CA ISSUER:DigiCert SHA2 Secure Server CA ISSUER:DigiCert Secure Server CA ISSUER:GeoTrust Extended Validation SSL CA ISSUER:GeoTrust SSL CA ISSUER:GlobalSign Organization Validation CA - G2 ISSUER:RapidSSL CA ISSUER:Thawte SSL CA ISSUER:VeriSign Class 3 Extended Validation SSL CA ISSUER:VeriSign Class 3 Secure Server CA - G3
Comment 5•10 years ago
|
||
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #4) > This is a list of issuers from the CT database for domains matching comment > 1. We know that this one is a false positive: > > ISSUER:UTN-USERFirst-Hardware > > > Of the remaining ones, we need to check if any are also false positives. > Several are not on the existing pinset (DigiCert SHA2 Secure Server CA, etc.) > > ISSUER:DigiCert High Assurance CA-3 > ISSUER:DigiCert High Assurance EV CA-1 > ISSUER:DigiCert SHA2 Extended Validation Server CA > ISSUER:DigiCert SHA2 Secure Server CA > ISSUER:DigiCert Secure Server CA > ISSUER:GeoTrust Extended Validation SSL CA > ISSUER:GeoTrust SSL CA > ISSUER:GlobalSign Organization Validation CA - G2 > ISSUER:RapidSSL CA > ISSUER:Thawte SSL CA > ISSUER:VeriSign Class 3 Extended Validation SSL CA > ISSUER:VeriSign Class 3 Secure Server CA - G3 Can you attach the actual certs or instrunctions on how to get them please?
Reporter | ||
Comment 6•10 years ago
|
||
Hi Camilo, They are in the https://bugzilla.mozilla.org/attachment.cgi?id=8417053 Monica
Comment 7•10 years ago
|
||
Some of the CAs mentioned in comment #4 are intermediate CAs. That seems dangerous to pin to specific intermediates rather than the roots themselves. Intermediates are not expected to remain the same for long periods of time and can be changed out at every new cert issuance.
Comment 8•10 years ago
|
||
Certificates from the ZMap HTTPS Ecosystem Survey [1] that match the same regex in mmc's scan of the CT database. There are ~350 of them. CSV file, with the structure specified in [2]. Distribution of issuers in this set is as follows: 119 "C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA" 43 "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3" 26 "C=US, O=DigiCert Inc, CN=DigiCert Secure Server CA" 17 "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV CA-1" 9 "C=US, O=Equifax, OU=Equifax Secure Certificate Authority" 7 "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)10, CN=VeriSign Class 3 Secure Server CA - G3" 6 "C=US, O=GeoTrust, Inc., CN=RapidSSL CA" 5 "C=US, O=GeoTrust Inc, OU=See www.geotrust.com/resources/cps (c)06, CN=GeoTrust Extended Validation SSL CA" 3 "C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA" 3 "C=US, O=Akamai Technologies Inc, CN=Akamai Subordinate CA 3" 3 "C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - G2" 2 "C=US, O=Thawte, Inc., CN=Thawte SSL CA" 2 "C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA" 2 "C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Class 1 Primary Intermediate Server CA" 1 "O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA" 1 "C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL CA" 1 "C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=PositiveSSL CA" 1 "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO High-Assurance Secure Server CA" 1 "C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO High Assurance Secure Server CA" [1] https://scans.io/study/umich-https [2] https://scans.io/data/umich/https/schema.txt
I'm not sure this is the direction we (as security engineering) should be going. Yes, we want to pin all Mozilla properties, but we should just have ops tell us what to pin to what, rather than attempting to find the relevant issuers ourselves.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•