Sec-Consult found that many appliances contain the same certificate (including the private key) for securelogin.arubanetworks.com. This is widely used for captive portals. The certificate is publicly trusted. Admins can replace the built-in certificate with their own, so we're not breaking captive portals completely. Article: http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html Advisory containing the private key: https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20160906-0_Aruba_Networks_Browser_trusted_cert_private_key_embedded_v10.txt Additional Certificate Details: https://crt.sh/?id=333422
For when we have a decision on a blocklist entry, the data should be as follows: issuer: MGExCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMR0wGwYDVQQLExREb21haW4gVmFsaWRhdGVkIFNTTDEbMBkGA1UEAxMSR2VvVHJ1c3QgRFYgU1NMIENB serial: AdpS
I've asked around, and can't find much incidence of this service being used much in the wild. It seems to be a low-risk situation. As OneCRL isn't intended to be a list of all revoked certificates, I'm marking this WONTFIX. I'm willing to entertain an alternate perspective; I feel like I just need a run-down of how this is dangerous enough to place into OneCRL.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.