Closed Bug 1420858 Opened 7 years ago Closed 7 years ago

Comodo: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: quirin, Assigned: rob, Mentored)

Details

(Whiteboard: [ca-compliance] [dv-misissuance])

As per Gerv's request, I am filing individual bugs for [1] -- please confer to [1] for a full background. In this case, Comodo likely mis-issued on a mixed wildcard/non-wildcard SAN, as discussed in [2] and listed in [3]. Comodo has commented on this in [4], partial quote: " Due to a bug in our CAA checking implementation, we were failing to perform CAA checks for these extra dNSNames that weren't explicitly requested by customers. I believe that this is why we did not block issuance of the 4 certificates you identified. We spotted this bug a few weeks ago (sorry, I don't have a note of precisely when), during internal testing against Andrew Ayer's excellent CAA test suite [1]. We prepared a fix. " The certificates in question are the following, of which Comodo has already confirmed numbers 1, 2, 3, and 4 as mis-issuances in [4]: ======== Certificate 1 - Group 1 ======== https://crt.sh/?id=215028491 X509v3 Subject Alternative Name: DNS:*.netservicesgroup.com DNS:netservicesgroup.com Issuer COMODO CA Limited DNS history (Certificate issued on Sep 20): 2017-09-18:netservicesgroup.com. 86400 IN CAA 0 issuewild "comodoca.com" 2017-09-18:netservicesgroup.com. 86400 IN CAA 0 issue ";" 2017-09-19:netservicesgroup.com. 86400 IN CAA 0 issuewild "comodoca.com" 2017-09-19:netservicesgroup.com. 86400 IN CAA 0 issue ";" 2017-09-20:netservicesgroup.com. 86400 IN CAA 0 issuewild "comodoca.com" 2017-09-20:netservicesgroup.com. 86400 IN CAA 0 issue “;" 2017-09-21:netservicesgroup.com. 86400 IN CAA 0 issuewild "comodoca.com" 2017-09-21:netservicesgroup.com. 86400 IN CAA 0 issue ";" 2017-09-23:netservicesgroup.com. 86400 IN CAA 0 issuewild “comodoca.com" 2017-09-23:netservicesgroup.com. 86400 IN CAA 0 issue “;" ======== Certificate 2 - Group 1 ======== https://crt.sh/?id=226175601 X509v3 Subject Alternative Name: DNS:*.drillisch-online.de DNS:drillisch-online.de Issuer: COMODO CA Limited DNS history (Certificate issued on Sep 29): 2017-09-28:drillisch-online.de. 3600 IN CAA 0 issuewild "globalsign.com" 2017-09-28:drillisch-online.de. 3600 IN CAA 0 issuewild "comodoca.com" 2017-09-28:drillisch-online.de. 3600 IN CAA 0 issue ";" 2017-09-29:drillisch-online.de. 3600 IN CAA 0 issuewild "comodoca.com" 2017-09-29:drillisch-online.de. 3600 IN CAA 0 issue ";" 2017-09-30:drillisch-online.de. 3600 IN CAA 0 issuewild "comodoca.com" 2017-09-30:drillisch-online.de. 3600 IN CAA 0 issue ";" ======= Certificate 3 - Group 1 ======= https://crt.sh/?id=221763552 X509v3 Subject Alternative Name: DNS:*.uhlhosting.ch DNS:uhlhosting.ch Issuer: Comodo DNS history (Certificate issued on Sep 29): 2017-09-27: uhlhosting.ch. 14400 IN CAA 0 issuewild “comodoca.com" 2017-09-27: uhlhosting.ch. 14400 IN CAA 0 issue “;” 2017-09-28: uhlhosting.ch. 14400 IN CAA 0 issuewild “comodoca.com” 2017-09-28: uhlhosting.ch. 14400 IN CAA 0 issue “;” 2017-09-29: uhlhosting.ch. 14400 IN CAA 0 issuewild “comodoca.com” 2017-09-29: uhlhosting.ch. 14400 IN CAA 0 issue “;” 2017-09-30: uhlhosting.ch. 14400 IN CAA 0 issuewild “comodoca.com" 2017-09-30: uhlhosting.ch. 14400 IN CAA 0 issue “;” ======== Certificate 4 - Group 1 ======== https://crt.sh/?id=211729608 X509v3 Subject Alternative Name: DNS:*.provida.net DNS:provida.net Issuer: COMODO CA Limited DNS history (Certificate issued on Sep 15): 2017-09-13:provida.net. 600 IN CAA 0 issuewild "comodo.com" 2017-09-13:provida.net. 600 IN CAA 0 issuewild "symantec.com" 2017-09-13:provida.net. 600 IN CAA 0 issue ";" 2017-09-14:provida.net. 600 IN CAA 0 issuewild "comodo.com" 2017-09-14:provida.net. 600 IN CAA 0 issuewild “symantec.com" 2017-09-14:provida.net. 600 IN CAA 0 issue “;" 2017-09-15:provida.net. 600 IN CAA 0 issuewild "comodo.com" 2017-09-15:provida.net. 600 IN CAA 0 issuewild "symantec.com" 2017-09-15:provida.net. 600 IN CAA 0 issue ";" 2017-09-16:provida.net. 600 IN CAA 0 issuewild "comodo.com" 2017-09-16:provida.net. 600 IN CAA 0 issuewild “symantec.com" 2017-09-16:provida.net. 600 IN CAA 0 issue “;" 2017-09-17:provida.net. 600 IN CAA 0 issuewild "comodo.com" 2017-09-17:provida.net. 600 IN CAA 0 issuewild "symantec.com" 2017-09-17:provida.net. 600 IN CAA 0 issue “;” ======= Certificate 5 - Group 1 ====== https://crt.sh/?id=250171539 X509v3 Subject Alternative Name: DNS:*.s5.nl DNS:s5.nl Issuer: Comodo DNS history (Issued Nov 06): 2017-11-03:s5.nl. 3600 IN CAA 0 issue "letsencrypt.org" 2017-11-03:s5.nl. 3600 IN CAA 0 issuewild "comodoca.com" 2017-11-04:s5.nl. 3600 IN CAA 0 issue "letsencrypt.org" 2017-11-04:s5.nl. 3600 IN CAA 0 issuewild "comodoca.com" 2017-11-05:s5.nl. 3600 IN CAA 0 issuewild "comodoca.com" 2017-11-05:s5.nl. 3600 IN CAA 0 issue "letsencrypt.org" 2017-11-06:s5.nl. 3600 IN CAA 0 issuewild "comodoca.com" 2017-11-06:s5.nl. 3600 IN CAA 0 issue "letsencrypt.org" 2017-11-07:s5.nl. 3600 IN CAA 0 issuewild "comodoca.com" 2017-11-07:s5.nl. 3600 IN CAA 0 issue "letsencrypt.org" 2017-11-08:s5.nl. 3600 IN CAA 0 issue "letsencrypt.org" 2017-11-08:s5.nl. 3600 IN CAA 0 issuewild "comodoca.com" 2017-11-09:s5.nl. 3600 IN CAA 0 issue "letsencrypt.org" 2017-11-09:s5.nl. 3600 IN CAA 0 issuewild "comodoca.com" ======= Certificate 6 - Group 1 ====== https://crt.sh/?id=261922875 X509v3 Subject Alternative Name: DNS:*.imagindata.com DNS:imagindata.com Issuer: Comodo DNS history (Issued Oct 14): 2017-10-12:imagindata.com. 300 IN CAA 0 issue “;" 2017-10-12:imagindata.com. 300 IN CAA 0 issuewild “comodoca.com 2017-10-13:imagindata.com. 300 IN CAA 0 issue “;" 2017-10-13:imagindata.com. 300 IN CAA 0 issuewild “comodoca.com 2017-10-14:imagindata.com. 300 IN CAA 0 issue “;" 2017-10-14:imagindata.com. 300 IN CAA 0 issuewild “comodoca.com 2017-10-15:imagindata.com. 300 IN CAA 0 issue “;" 2017-10-15:imagindata.com. 300 IN CAA 0 issuewild “comodoca.com 2017-10-16:imagindata.com. 300 IN CAA 0 issue “;" 2017-10-16:imagindata.com. 300 IN CAA 0 issuewild “comodoca.com ====== Certificate 7 - Group 1 ========= https://crt.sh/?id=235359928 X509v3 Subject Alternative Name: DNS:*.gbase.com DNS:gbase.com Issuer: Comodo DNS history (Issued Oct 17): 2017-10-15:gbase.com. 432000 IN CAA 0 issue ";" 2017-10-15:gbase.com. 432000 IN CAA 0 issuewild "comodoca.com" 2017-10-16:gbase.com. 432000 IN CAA 0 issue ";" 2017-10-16:gbase.com. 432000 IN CAA 0 issuewild “comodoca.com" 2017-10-17:gbase.com. 432000 IN CAA 0 issue ";" 2017-10-17:gbase.com. 432000 IN CAA 0 issuewild “comodoca.com" 2017-10-18:gbase.com. 432000 IN CAA 0 issue ";" 2017-10-18:gbase.com. 432000 IN CAA 0 issuewild “comodoca.com" 2017-10-19:gbase.com. 432000 IN CAA 0 issue ";" 2017-10-19:gbase.com. 432000 IN CAA 0 issuewild “comodoca.com” [1] https://groups.google.com/d/topic/mozilla.dev.security.policy/QpSVjzrj7T4/discussion [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/O9HZPMvHMY8/HtXR8S-1AAAJ [3] https://misissued.com/batch/32/ [4] https://groups.google.com/d/msg/mozilla.dev.security.policy/O9HZPMvHMY8/KTPz90gJAwAJ
Assigning to Comodo rep. Gerv
Assignee: kwilson → rob
Whiteboard: [ca-compliance]
(In reply to Quirin Scheitle from comment #0) <snip> > The certificates in question are the following, of which Comodo has already > confirmed numbers 1, 2, 3, and 4 as mis-issuances in [4]: I realize my statement that "I agree that Comodo should not have issued certificates 1, 3, 4 and 5" [1] was based entirely on the evidence that Quirin provided, since (as I mentioned earlier today in [2]) we haven't retained full logs of our CAA checks back that far. So, whilst it's certainly possible (perhaps even likely) that we saw the same CAA responses that Quirin saw, there's no proof that we did; therefore, I'm not sure whether or not it's reasonable to declare them to have been misissued. Today I queried our logs (which date back to October 12th 06:08:51 UTC) to find all wildcard certificates where we added the "base domain" to the cert despite there being an "issue" property that did not authorize us. I found the following 20 certificates (this includes certificates 5, 6 and 7 from comment #0): https://crt.sh/?id=232809722 https://crt.sh/?id=234516423 https://crt.sh/?id=235359928 https://crt.sh/?id=245726101 https://crt.sh/?id=248180626 https://crt.sh/?id=250093069 https://crt.sh/?id=250171539 https://crt.sh/?id=250728458 https://crt.sh/?id=252699186 https://crt.sh/?id=257184785 https://crt.sh/?id=257276189 https://crt.sh/?id=257627856 https://crt.sh/?id=261922875 https://crt.sh/?id=262224197 https://crt.sh/?id=262245850 https://crt.sh/?id=268300594 https://crt.sh/?id=268300595 https://crt.sh/?id=268300596 https://crt.sh/?id=268300597 https://crt.sh/?id=268300598 Since these 20 were provably misissued, we will proceed to revoke and replace them. [1] https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/O9HZPMvHMY8/KTPz90gJAwAJ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1420873#c15
(In reply to Rob Stradling from comment #2) > (In reply to Quirin Scheitle from comment #0) > <snip> > > The certificates in question are the following, of which Comodo has already > > confirmed numbers 1, 2, 3, and 4 as mis-issuances in [4]: > > I realize my statement that "I agree that Comodo should not have issued > certificates 1, 3, 4 and 5" [1] was based entirely on the evidence that > Quirin provided, since (as I mentioned earlier today in [2]) we haven't > retained full logs of our CAA checks back that far. So, whilst it's > certainly possible (perhaps even likely) that we saw the same CAA responses > that Quirin saw, there's no proof that we did; therefore, I'm not sure > whether or not it's reasonable to declare them to have been misissued. > Hi Rob, I agree. As I said elsewhere, the purpose of the exercise was to fix holes in CAA validation related to such a CAA configuration. I am happy to see that this is is fixed and you took care of these certificates where you have proof. From my point of view, taking any action on [1-4] without evidence does not make sense. And my lookups are merely hints for cases where something *might* have gone wrong, not evidence. Kind regards Quirin
I'm tracking the revocation status of the 20 certs identified in comment #2 at https://misissued.com/batch/35/.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(In reply to Rob Stradling from comment #2) > Today I queried our logs (which date back to October 12th 06:08:51 UTC) to > find all wildcard certificates where we added the "base domain" to the cert > despite there being an "issue" property that did not authorize us. Is my memory faulty, or did we have a discussion on m.d.s.p. where you pointed out that due to the requirement to use the 10 Blessed Methods (from July), adding in the base domain without a full set of checks was no longer permitted? What checks other than CAA did this codepath avoid? Have you disabled this codepath entirely, or just added CAA to it? Gerv
(In reply to Gervase Markham [:gerv] from comment #5) > (In reply to Rob Stradling from comment #2) > > Today I queried our logs (which date back to October 12th 06:08:51 UTC) to > > find all wildcard certificates where we added the "base domain" to the cert > > despite there being an "issue" property that did not authorize us. > > Is my memory faulty, or did we have a discussion on m.d.s.p. where you > pointed out that due to the requirement to use the 10 Blessed Methods (from > July), adding in the base domain without a full set of checks was no longer > permitted? Hi Gerv. Your memory is not faulty. > What checks other than CAA did this codepath avoid? None. > Have you disabled this codepath entirely, or just added CAA to it? We just added CAA to it, since that was the thing that was lacking. Domain control validation was performed correctly for all of the dNSNames in the 20 certificates listed in comment #2.
(In reply to Rob Stradling from comment #6) > Hi Gerv. Your memory is not faulty. Ohkay... Could we then please have an incident report on the issue of how this continued to be part of Comodo's offering past July? Gerv
(In reply to Gervase Markham [:gerv] from comment #7) > (In reply to Rob Stradling from comment #6) > > Hi Gerv. Your memory is not faulty. > > Ohkay... Could we then please have an incident report on the issue of how > this continued to be part of Comodo's offering past July? Gerv, I don't understand which "this" you believe "continued to be part of Comodo's offering past July" and warrants a new incident report. We revisited Comodo's historic domain control validation practices on m.d.s.p recently [1]: > It was *formerly* Comodo's practice to... > "consider proof of control of 'www.<base_domain>' as also proving > control of '<base_domain>' (except where '<base_domain>' is a public > suffix)" Since July, "any other method" of Domain Control Validation has no longer been permitted, and it is our view that our *former* practice, described above, is not permitted by any of the 10 Blessed Methods. Whilst we haven't stopped our practice of adding a SAN.dNSName for <base_domain> when the certificate request is for www.<base_domain>, *we have performed Domain Control Validation on all SAN.dNSNames added in this way* since July. This bug discusses a flaw in our CAA checking. The bug was fixed on 17th November, and we have already posted an incident report [2]. This bug was entirely unrelated to our Domain Control Validation code. In our system, CAA checking and Domain Control Validation are separate code components. Domain Control Validation must be successfully completed for every SAN.dNSName associated with a certificate request before CAA checking is attempted for any of those SAN.dNSNames. [1] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg08556.html [2] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg08549.html
Ah, yes, sorry. All is clear now. We will keep this bug open at least until https://misissued.com/batch/35/ lists all as revoked. Gerv
Hi Gerv. All 20 certs listed at https://misissued.com/batch/35/ have now been revoked.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [dv-misissuance]
You need to log in before you can comment on or make changes to this bug.