Closed Bug 1283498 Opened 9 years ago Closed 8 years ago

StartCom StartEncrypt vulnerability allowed issuance of fraudulent google.com, dropbox.com, etc certificates

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: callahad, Assigned: kathleen.a.wilson)

References

(
URL
)

Details

Not sure where the right product/component is for this, but according to https://www.computest.nl/blog/startencrypt-considered-harmful-today/, for a period of two weeks this month, it was possible to use StartCom's StartEncrypt project to fraudulently obtain certificates for domains not under the user's control. Quotes from the article: "domains where the attack will work include google.com, facebook.com, live.com, dropbox.com and others." "certificates can be obtained, like for google.com, paypal.com, linkedin.com, login.live.com and all those other websites with open redirects." ...we should do something about this, right?
I'm kinda shocked that startcom certs are still being accepted after this. If this doesn't qualify to get you dropped what possibly could?
There is currently a discussion going on in dev.security.policy: https://groups.google.com/d/topic/mozilla.dev.security.policy/GWSEO-oooGM/discussion
Eddy, Is the following still your stance on this? From Eddy on July 1: https://groups.google.com/d/msg/mozilla.dev.security.policy/GWSEO-oooGM/nkOCLQGcBwAJ "" There were indeed a couple of issues with the client software - known bugs have been fixed by our developers (hope there wont be anything more significant than that ). So far less than three hundred certificates have been issued using this method, none should have been effectively issue wrongfully due to our backend checks. At the moment I don't believe that a public incident report is necessary, but should anything change in our current assessment we will obviously act accordingly. I instructed additional verifications and confirmations to assert that assessment. "" Please also reply asap with answers to the following questions. 1) What further action have you taken regarding this incident? 2) Are there any certificates that were issued as a result of these problems that should be added to OneCRL? If yes, please attach the info to this bug, so we can make the corresponding changes. 3) What actions have and will you be taking to fully resolve the noted problems? What is the timeline that you are targeting for implementation/resolution?
Flags: needinfo?(eddy_nigg)
(In reply to Kathleen Wilson from comment #3) > > 1) What further action have you taken regarding this incident? Basically we fixed the bug after Computest reported it to us, but also closed the API and StartEncrypt service at the same day. We announced this in our website: https://www.startssl.com/NewsDetails?date=20160606 at July 4th. > 2) Are there any certificates that were issued as a result of these problems > that should be added to OneCRL? No, all issued certificate were correctly validated. > 3) What actions have and will you be taking to fully resolve the noted > problems? > What is the timeline that you are targeting for implementation/resolution? We decided to use ACME protocol for the future versions of this particular service, the old version has been closed as of July 4th.
Flags: needinfo?(eddy_nigg)
Mozilla has taken action against StartCom which included consideration of this issue. Gerv
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.