Add Symantec Test Certs to OneCRL

RESOLVED FIXED

Status

()

--
major
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: kwilson, Assigned: mgoodwin)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(7 attachments)

(Reporter)

Description

4 years ago
Symantec has provided a list of test certificates that they mis-issued for domains that are registered to third parties.

https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportOwnedDomains.pdf

There are 164 certificates in the list. We should add these certificates to OneCRL.
(Reporter)

Comment 1

4 years ago
Further discussion about this event will happen here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Hkyg_09EDYE/kzQAK3mqAwAJ
(Reporter)

Comment 2

4 years ago
Symantec, Please list the URLs to the CRLs containing these revocations.

Comment 3

4 years ago
Here's the CRL names and URL in CSV format:

Equifax Secure Certificate Authority,crl.geotrust.com/crls/secureca.crl 
GeoTrust DSA SSL CA,gi.symcb.com/gi.crl
GeoTrust DV SSL CA,gg.symcb.com/gg.crl
GeoTrust DV SSL CA - G2,gc.symcb.com/gc.crl
GeoTrust DV SSL CA - G3,gt.symcb.com/gt.crl
GeoTrust DV SSL CA - G4,gu.symcb.com/gu.crl
GeoTrust DV SSL SHA256 CA,gr.symcb.com/gr.crl
GeoTrust DV SSL SHA256 CA - G2,gy.symcb.com/gy.crl
GeoTrust EV SSL CA - G4,gm.symcb.com/gm.crl
GeoTrust Extended Validation SSL CA,ge.symcb.com/ge.crl
GeoTrust Extended Validation SSL CA - G2,ga.symcb.com/ga.crl
GeoTrust SHA256 SSL CA,gj.symcb.com/gj.crl
GeoTrust SSL CA,gf.symcb.com/gf.crl
GeoTrust SSL CA - G2,gb.symcb.com/gb.crl
GeoTrust SSL CA - G3,gn.symcb.com/gn.crl
RapidSSL CA,gh.symcb.com/gh.crl
RapidSSL SHA256 CA - G3,gv.symcb.com/gv.crl
RapidSSL SHA256 CA - G4,gz.symcb.com/gz.crl
Symantec Class 3 DSA EV SSL CA,sp.symcb.com/sp.crl
Symantec Class 3 DSA SSL CA,so.symcb.com/so.crl
Symantec Class 3 ECC 256 bit EV CA - G2,rd.symcb.com/rd.crl
Symantec Class 3 ECC 256 bit Extended Validation CA,sn.symcb.com/sn.crl
Symantec Class 3 ECC 256 bit SSL CA,sm.symcb.com/sm.crl
Symantec Class 3 ECC 256 bit SSL CA - G2,rc.symcb.com/rc.crl
Symantec Class 3 EV SSL CA - G2,st.symcb.com/st.crl
Symantec Class 3 EV SSL CA - G3,sr.symcb.com/sr.crl
Symantec Class 3 EV SSL SGC CA - G2,su.symcb.com/su.crl
Symantec Class 3 Secure Server CA - G4,ss.symcb.com/ss.crl
Symantec Class 3 Secure Server SHA256 SSL CA,sg.symcb.com/sg.crl
thawte DSA SSL CA,te.symcb.com/te.crl
Thawte DV SSL CA,tc.symcb.com/tc.crl
thawte DV SSL CA - G2,tn.symcb.com/tn.crl
thawte DV SSL SHA256 CA,tm.symcb.com/tm.crl
thawte EV SSL CA - G3,ti.symcb.com/ti.crl
thawte Extended Validation SHA256 SSL CA,tf.symcb.com/tf.crl
thawte Extended Validation SSL CA,ta.symcb.com/ta.crl
Thawte Premium Server CA,crl.thawte.com/ThawtePremiumServerCA.crl 
Thawte SGC CA,crl.thawte.com/ThawteSGCCA.crl 
Thawte SGC CA - G2,td.symcb.com/td.crl
thawte SHA256 SSL CA,tg.symcb.com/tg.crl
Thawte SSL CA,tb.symcb.com/tb.crl
thawte SSL CA - G2,tj.symcb.com/tj.crl
VeriSign Class 3 Extended Validation CA - T1,si.symcb.com/si.crl
VeriSign Class 3 Extended Validation SGC CA - T1,sj.symcb.com/sj.crl
VeriSign Class 3 Extended Validation SSL CA,sa.symcb.com/sa.crl 
VeriSign Class 3 Extended Validation SSL SGC CA,sb.symcb.com/sb.crl
VeriSign Class 3 International Server CA - G3,se.symcb.com/se.crl
VeriSign Class 3 Secure Server CA,crl.verisign.com/SVRSecure2005.crl 
VeriSign Class 3 Secure Server CA - G2,crl.verisign.com/SVRSecureG2.crl 
VeriSign Class 3 Secure Server CA - G3,sd.symcb.com/sd.crl
VeriSign Class 3 Secure Server CA - T1,sk.symcb.com/sk.crl
VeriSign International Server CA - Class 3,crl.verisign.com/SVRIntl.crl
Hi Rick,

As we have an open communication channel in this bug: a couple of good questions have been raised in the public discussion.

1) This list of test certs for owned domains contains an entry for
a cert with serial number 0xc222a issued by RapidSSL CA, valid from 05/18/2013
22:27:16 GMT to 06/20/2015 13:57:13 GMT (last entry of the owned domains PDF).
This appears to be this certificate https://crt.sh/?id=1990400 which has:

            X509v3 Subject Alternative Name:
                DNS:*.icns.com.au
                DNS:icns.com.au

As of this writing, there appears to be a functional server at that
www.icns.com.au which presents that (expired and revoked) cert and to which
openssl s_client can successfully connect.

Is this entry an error? This cert does not look like the other testing certs I have examined.

2) In Symantec's initial incident report, you indicated 'the private keys
associated with the test certificates were all destroyed as part of the testing
tool that was used to enroll for the test certificates'. Are you still making
this claim for the test certificates found subsequently?

Thanks,

Gerv

Comment 5

4 years ago
Gerv, we're investigating. I'll update this bug as soon as I have more info.
(Reporter)

Comment 6

4 years ago
Let's keep this bug devoted to OneCRL.

For further questions and answers about this incident, let's use the discussion in m.d.s.policy:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Hkyg_09EDYE/kzQAK3mqAwAJ

Mark, Do you need any further data in order to make the changes to OneCRL?

Thanks.
(In reply to Kathleen Wilson from comment #6)
> Let's keep this bug devoted to OneCRL.

Rick: are you happy to engage with questions in m.d.s.policy or would you prefer another bug or some other mechanism where I filter the questions that are asked?

Gerv

Comment 8

4 years ago
Gerv, yes, we'd prefer to answer questions in m.d.s.policy.
Cool. You can see the 2 Qs above in there; I look forward to reading your answers :-)

Gerv
(Reporter)

Comment 10

4 years ago
(In reply to Kathleen Wilson from comment #0)
> Symantec has provided a list of test certificates that they mis-issued for
> domains that are registered to third parties.
> 
> https://www-secure.symantec.com/connect/sites/default/files/
> TestCertificateIncidentReportOwnedDomains.pdf
> 
> There are 164 certificates in the list. We should add these certificates to
> OneCRL.

Rick, Are all of the certs in the list EV?
The reason I ask is that if they are EV, then the OCSP check will hard-fail due to the revocation, so we would not need to add those to OneCRL.
(Reporter)

Comment 11

4 years ago
It has also been pointed out to me that the expired certs don't need to be added to OneCRL either.

Comment 12

4 years ago
Kathleen, not all the certs are EV, and some are also expired. We are continuing to collate all feedback and will be publishing an update soon that you can use to update your OneCRL. Thanks.

Comment 13

3 years ago
We have posted an update to our test certificate incident report at https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_20151029.pdf. That contains links to these updated files:

List of Test Certs of Owned Domains (Updated October 27, 2015) https://www-secure.symantec.com/connect/sites/default/files/Test_Certificate_Incident_Report_Owned_Domains_20151027.pdf
List of Test Certs of Unregistered Domains (Updated October 27, 2015) https://www-secure.symantec.com/connect/sites/default/files/Test_Certificate_Incident_Report_Unregistered_20151027.pdf

In those files, you can clearly see which certs are EV, and the expiration date of each.
(Reporter)

Comment 14

3 years ago
I think we should add to OneCRL the certs in the lists in Comment #13 that meet all of the following:
- not EV (so OCSP not enforced)
- valid beyond 2015
- marked as 3 (Domain not owned at time of issuance) and 4 (Domain owned at time of issuance) -- I'm assuming those notes mean that someone other than Symantec might own those domains. Rick, is that correct?

Comment 15

3 years ago
The criteria that we understand you want to use to populate OneCRL is as follows:
 1. Only certificates for domains that were owned by a party other than Symantec at time of issue
 2. Not yet expired certificates
 3. Not EV certificates

Based on this, here’s how to get that info out of the two lists:

From the list of “owned domains” select all certificates that meet the following criteria (there are 47 in total):
 1. The note field is blank
 2. The expire date is on or after Nov 1, 2015

From the list of “unregistered domains” select all certificates that meet the following criteria (there are 4 in total):
 1. The note field is exactly “4” (do not include “1,4” or “1,4,5” — these were false positives and were properly issued)
 2. The expire date is on or after Nov 1, 2015

For your convenience, we have attached a CSV file that includes only these 51 certificates. One correction to your prior post is that you should not include certificates with Note #3 (these were certificates whose domains we have determined were unowned at the time of issuance and were improperly classified as “owned domains”).

Comment 16

3 years ago
Actually, I think we want the EV certificates as well (for EV, OCSP is only "enforced" insofar as if a response can't be fetched, Firefox will fall back to DV validation, and if a response still can't be fetched, the connection succeeds, just with no EV indicator).

Also, I can't find the certificates indicated in attachment 8684462 [details] in any certificate transparency log. Rick, are those going to be disclosed?
Flags: needinfo?(rick_andrews)

Comment 19

3 years ago
(In reply to David Keeler [:keeler] (use needinfo?) from comment #17)
> Actually, I think we want the EV certificates as well (for EV, OCSP is only
> "enforced" insofar as if a response can't be fetched, Firefox will fall back
> to DV validation, and if a response still can't be fetched, the connection
> succeeds, just with no EV indicator).

David, I attached a csv file with the EV certs that were not expired as of November 1, 2015 and that were issued to owned domains. 

> Also, I can't find the certificates indicated in attachment 8684462 [details]
> [details] in any certificate transparency log. Rick, are those going to be
> disclosed?

We don’t have plans to log these certificates.
Flags: needinfo?(rick_andrews)
(Reporter)

Comment 20

3 years ago
Rick, OneCRL wasn't really intended for typical end-entity cert revocations, so we don't want to just add a bunch of end-entity cert data to it, especially if the test certs were issued to *symantec*.com domain names. So, we would like the ability to evaluate which of these revoked test certs we should add to OneCRL. My understanding is that we can do that with the EV certs, because those EV certs are already available via CT. But we do not have sufficient information about the non-EV certs to make the decision about whether we should add them to OneCRL or not. So, would you please add a column to the .csv attachment to Comment #16 to provide the domain name(s) included in the cert? 
(I didn't see any way for us to find this information based on what has already been published.)

Comment 21

3 years ago
Kathleen, we’ve notified all of the owners of domains used for the relevant test certs we’ve identified. Some organizations have explicitly asked us to not disclose additional details; however, we can provide you with the domain info if we receive authorization to do so from the domain owners. At this point, Google and Opera are the only organizations who have indicated that they are OK with public disclosure.  I believe you know those specific certs, but we can follow up with those if needed.
(Reporter)

Comment 22

3 years ago
(In reply to Rick Andrews from comment #21)
> Kathleen, we’ve notified all of the owners of domains used for the relevant
> test certs we’ve identified. Some organizations have explicitly asked us to
> not disclose additional details; 

In that case, would you please update the OneCRL attachment in Comment #16 to:
1) Remove any certs with only *symantec* domains.
2) Add cert expiration dates, so we can track when to remove them from OneCRL.

Comment 23

3 years ago
Kathleen, there's nothing to update. The attachment in Comment #16 included only certificates for domains that were owned by a party other than Symantec at time of issue; hence no *symantec* domains. And the csv file includes the cert expiration dates.
(Reporter)

Comment 24

3 years ago
Symantec announced the results of their investigation:
http://www.symantec.com/connect/blogs/results-our-investigation_0
(Reporter)

Comment 25

3 years ago
https://www.symantec.com/page.jsp?id=test-certs-update
 The certificate details are available here for reference, including certificates identified since our last report on October 29, 2015 which are identified in the column titled “Apr 2016”:
List of Mis-issued Test Certificates to Owned Domains (Updated April 21, 2016)
https://vs.symantec.com/assets/csv/test-certificate-incident-report-owned-domain-summary_april-2016.csv
List of Mis-issued Test Certificates to Unregistered Domains (Updated April 21, 2016)
https://vs.symantec.com/assets/csv/test-certificate-incident-report-unregistered-domain-summary_april-2016.csv
These are the encoded serial/issuer pairs of unexpired certificates from the owned domain list. Mark - can you make sure this makes it into OneCRL? Thanks.
Flags: needinfo?(mgoodwin)
(Assignee)

Comment 27

3 years ago
(In reply to David Keeler [:keeler] (use needinfo?) from comment #26)
> Mark - can you make sure this makes it into OneCRL?
> Thanks.

Sure. I have filed bug 1267648 to track creation of AMO blocklist items. I will follow up once this is done to ensure the new blocklist items are being updated accordingly.
Flags: needinfo?(mgoodwin)
(Assignee)

Comment 28

3 years ago
These items are now visible in the blocklist.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
(Reporter)

Updated

2 years ago
Blocks: 1155095
You need to log in before you can comment on or make changes to this bug.