Closed Bug 1353833 Opened 8 years ago Closed 8 years ago

GlobalSign: Incapsula issued a certificate for non-existing domain (testslsslfeb20.me)

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)

Details

(Whiteboard: [ca-compliance] [ov-misissuance])

Reported in the mozilla.dev.security.policy forum: https://groups.google.com/d/msg/mozilla.dev.security.policy/l1mDdCL8LlU/6lzm9GS6AQAJ Incapsula "re-keying" certificates for domains that are no longer in control of their subscribers. Update from GlobalSign on March 3: ~~ I wanted to send out a short update of were we are on looking into the reported Incapusla/testslsslfeb20.me certificate and the thread of comments and questions above. In this specific case the domain was verified within 39 months of issuance/reissuance (no difference as Ryan pointed out). In general, when we receive new orders and issue certificates, the vetting is done just prior to issuance time which permits the certificate to be replaced up until expiration. We're looking into cases where new "orders" may have used certificate data that was done prior and then verifying that the domains (and enterprise data on the subject DN) are re-verified at the applicable intervals. I'll send out an update as soon I have more information. ~~ Awaiting incident report from GlobalSign
Product: mozilla.org → NSS
Thanks, Doug, for the detailed incident report. Including domain names without proper ownership validation is a reasonably serious thing. It is mitigated in this case by the fact that the domain names were, at least at some point, owned or controlled by the entities concerned, so this is not unbridled misissuance. But really, 39 months (while the standard, until recently) is far too infrequent to be rechecking ownership and so accidentally taking even longer than that isn't great. Are you able to say how many of the 945 domains failed their attempted re-validation, due to no longer being owned by the customer (or the customer's customer)? I'm pleased to hear you have updated your system to meet the new 825-day standard, and more pleased to hear that you plan to voluntarily impose a 15-month (~450 day) standard on top of that. Other than the question above, there is no further action at this time. Gerv
Hi Gerv, 236 of the 945 SANs were deleted from certificates and not added back so that would be the upper limit on "domains that failed re-validation". It's possible that some of these were replaced with wildcard certificates or with different FQDNs under the same Domain Name, but we didn't dig any further than getting the number of deleted SANs. Doug
QA Contact: gerv
Whiteboard: [ca-investigation] → [ca-incident-response]
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-incident-response] → [ca-compliance] [ov-misissuance]
You need to log in before you can comment on or make changes to this bug.