Adding leaked securelogin.arubanetworks.com certificate to OneCRL

RESOLVED WONTFIX

Status

()

RESOLVED WONTFIX
2 years ago
2 years ago

People

(Reporter: freddyb, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Sec-Consult found that many appliances contain the same certificate (including the private key) for securelogin.arubanetworks.com.

This is widely used for captive portals. The certificate is publicly trusted. Admins can replace the built-in certificate with their own, so we're not breaking captive portals completely.



Article: http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html
Advisory containing the private key: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160906-0_Aruba_Networks_Browser_trusted_cert_private_key_embedded_v10.txt
Additional Certificate Details: https://crt.sh/?id=333422
For when we have a decision on a blocklist entry, the data should be as follows:

issuer: MGExCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMR0wGwYDVQQLExREb21haW4gVmFsaWRhdGVkIFNTTDEbMBkGA1UEAxMSR2VvVHJ1c3QgRFYgU1NMIENB
serial: AdpS
I've asked around, and can't find much incidence of this service being used much in the wild. It seems to be a low-risk situation. As OneCRL isn't intended to be a list of all revoked certificates, I'm marking this WONTFIX. 

I'm willing to entertain an alternate perspective; I feel like I just need a run-down of how this is dangerous enough to place into OneCRL.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.