Comodo: CAA Mis-Issuance on mix of wildcard and non-wildcard DNS names in SAN

RESOLVED FIXED

Status

task
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: quirin, Assigned: Rob.Stradling, Mentored)

Tracking

trunk

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ca-compliance])

(Reporter)

Description

a year ago
As per Gerv's request, I am filing individual bugs for [1] -- please confer to [1] for a full background. 
In this case, Comodo likely mis-issued on a mixed wildcard/non-wildcard SAN, as discussed in [2] and listed in [3]. 
Comodo has commented on this in [4], partial quote:
"
Due to a bug in our CAA checking implementation, we were failing to
perform CAA checks for these extra dNSNames that weren't explicitly
requested by customers.  I believe that this is why we did not block
issuance of the 4 certificates you identified.

We spotted this bug a few weeks ago (sorry, I don't have a note of
precisely when), during internal testing against Andrew Ayer's excellent
CAA test suite [1].  We prepared a fix. 
"

The certificates in question are the following, of which Comodo has already confirmed numbers 1, 2, 3, and 4 as mis-issuances in [4]:

======== Certificate 1 - Group 1 ========
https://crt.sh/?id=215028491
        X509v3 Subject Alternative Name:
                DNS:*.netservicesgroup.com
           DNS:netservicesgroup.com
        Issuer COMODO CA Limited
DNS history (Certificate issued on Sep 20):
2017-09-18:netservicesgroup.com.       86400   IN      CAA     0 issuewild "comodoca.com"
2017-09-18:netservicesgroup.com.       86400   IN      CAA     0 issue ";"
2017-09-19:netservicesgroup.com.       86400   IN      CAA     0 issuewild "comodoca.com"
2017-09-19:netservicesgroup.com.       86400   IN      CAA     0 issue ";"
2017-09-20:netservicesgroup.com.       86400   IN      CAA     0 issuewild "comodoca.com"
2017-09-20:netservicesgroup.com.       86400   IN      CAA     0 issue “;"
2017-09-21:netservicesgroup.com.       86400   IN      CAA     0 issuewild "comodoca.com"
2017-09-21:netservicesgroup.com.       86400   IN      CAA     0 issue ";"
2017-09-23:netservicesgroup.com.       86400   IN      CAA     0 issuewild “comodoca.com"
2017-09-23:netservicesgroup.com.       86400   IN      CAA     0 issue “;"

======== Certificate 2 - Group 1 ========
https://crt.sh/?id=226175601
       X509v3 Subject Alternative Name:
           DNS:*.drillisch-online.de
           DNS:drillisch-online.de
        Issuer: COMODO CA Limited
DNS history (Certificate issued on Sep 29):
2017-09-28:drillisch-online.de.        3600    IN      CAA     0 issuewild "globalsign.com"
2017-09-28:drillisch-online.de.        3600    IN      CAA     0 issuewild "comodoca.com"
2017-09-28:drillisch-online.de.        3600    IN      CAA     0 issue ";"
2017-09-29:drillisch-online.de.        3600    IN      CAA     0 issuewild "comodoca.com"
2017-09-29:drillisch-online.de.        3600    IN      CAA     0 issue ";"
2017-09-30:drillisch-online.de.        3600    IN      CAA     0 issuewild "comodoca.com"
2017-09-30:drillisch-online.de.        3600    IN      CAA     0 issue ";" 

======= Certificate 3 - Group 1 =======
https://crt.sh/?id=221763552
       X509v3 Subject Alternative Name:
           DNS:*.uhlhosting.ch
           DNS:uhlhosting.ch
        Issuer: Comodo
DNS history (Certificate issued on Sep 29):
2017-09-27: uhlhosting.ch.        14400    IN      CAA     0 issuewild “comodoca.com"
2017-09-27: uhlhosting.ch.        14400    IN      CAA     0 issue “;”
2017-09-28: uhlhosting.ch.        14400    IN      CAA     0 issuewild “comodoca.com”
2017-09-28: uhlhosting.ch.        14400    IN      CAA     0 issue “;”
2017-09-29: uhlhosting.ch.        14400    IN      CAA     0 issuewild “comodoca.com”
2017-09-29: uhlhosting.ch.        14400    IN      CAA     0 issue “;”
2017-09-30: uhlhosting.ch.        14400    IN      CAA     0 issuewild “comodoca.com"
2017-09-30: uhlhosting.ch.        14400    IN      CAA     0 issue “;” 


======== Certificate 4 - Group 1 ========
https://crt.sh/?id=211729608
         X509v3 Subject Alternative Name:
             DNS:*.provida.net
             DNS:provida.net
        Issuer: COMODO CA Limited
DNS history (Certificate issued on Sep 15):
2017-09-13:provida.net.        600     IN      CAA     0 issuewild "comodo.com"
2017-09-13:provida.net.        600     IN      CAA     0 issuewild "symantec.com"
2017-09-13:provida.net.        600     IN      CAA     0 issue ";"
2017-09-14:provida.net.        600     IN      CAA     0 issuewild "comodo.com"
2017-09-14:provida.net.        600     IN      CAA     0 issuewild “symantec.com"
2017-09-14:provida.net.        600     IN      CAA     0 issue “;"
2017-09-15:provida.net.        600     IN      CAA     0 issuewild "comodo.com"
2017-09-15:provida.net.        600     IN      CAA     0 issuewild "symantec.com"
2017-09-15:provida.net.        600     IN      CAA     0 issue ";"
2017-09-16:provida.net.        600     IN      CAA     0 issuewild "comodo.com"
2017-09-16:provida.net.        600     IN      CAA     0 issuewild “symantec.com"
2017-09-16:provida.net.        600     IN      CAA     0 issue “;"
2017-09-17:provida.net.        600     IN      CAA     0 issuewild "comodo.com"
2017-09-17:provida.net.        600     IN      CAA     0 issuewild "symantec.com"
2017-09-17:provida.net.        600     IN      CAA     0 issue “;”

======= Certificate 5 - Group 1 ======
https://crt.sh/?id=250171539
           X509v3 Subject Alternative Name:
               DNS:*.s5.nl
               DNS:s5.nl
        Issuer: Comodo
DNS history (Issued Nov 06):
2017-11-03:s5.nl.      3600    IN      CAA     0 issue "letsencrypt.org"
2017-11-03:s5.nl.      3600    IN      CAA     0 issuewild "comodoca.com"
2017-11-04:s5.nl.      3600    IN      CAA     0 issue "letsencrypt.org"
2017-11-04:s5.nl.      3600    IN      CAA     0 issuewild "comodoca.com"
2017-11-05:s5.nl.      3600    IN      CAA     0 issuewild "comodoca.com"
2017-11-05:s5.nl.      3600    IN      CAA     0 issue "letsencrypt.org"
2017-11-06:s5.nl.      3600    IN      CAA     0 issuewild "comodoca.com"
2017-11-06:s5.nl.      3600    IN      CAA     0 issue "letsencrypt.org"
2017-11-07:s5.nl.      3600    IN      CAA     0 issuewild "comodoca.com"
2017-11-07:s5.nl.      3600    IN      CAA     0 issue "letsencrypt.org"
2017-11-08:s5.nl.      3600    IN      CAA     0 issue "letsencrypt.org"
2017-11-08:s5.nl.      3600    IN      CAA     0 issuewild "comodoca.com"
2017-11-09:s5.nl.      3600    IN      CAA     0 issue "letsencrypt.org"
2017-11-09:s5.nl.      3600    IN      CAA     0 issuewild "comodoca.com" 

======= Certificate 6 - Group 1 ======
https://crt.sh/?id=261922875
            X509v3 Subject Alternative Name:
               DNS:*.imagindata.com
               DNS:imagindata.com
        Issuer: Comodo
DNS history (Issued Oct 14):
2017-10-12:imagindata.com.       300     IN      CAA     0 issue “;"
2017-10-12:imagindata.com.       300     IN      CAA     0 issuewild “comodoca.com
2017-10-13:imagindata.com.       300     IN      CAA     0 issue “;"
2017-10-13:imagindata.com.       300     IN      CAA     0 issuewild “comodoca.com
2017-10-14:imagindata.com.       300     IN      CAA     0 issue “;"
2017-10-14:imagindata.com.       300     IN      CAA     0 issuewild “comodoca.com
2017-10-15:imagindata.com.       300     IN      CAA     0 issue “;"
2017-10-15:imagindata.com.       300     IN      CAA     0 issuewild “comodoca.com
2017-10-16:imagindata.com.       300     IN      CAA     0 issue “;"
2017-10-16:imagindata.com.       300     IN      CAA     0 issuewild “comodoca.com

====== Certificate 7 - Group 1 =========
https://crt.sh/?id=235359928
           X509v3 Subject Alternative Name:
               DNS:*.gbase.com
               DNS:gbase.com
        Issuer: Comodo
DNS history (Issued Oct 17):
2017-10-15:gbase.com.  432000  IN      CAA     0 issue ";"
2017-10-15:gbase.com.  432000  IN      CAA     0 issuewild "comodoca.com"
2017-10-16:gbase.com.  432000  IN      CAA     0 issue ";"
2017-10-16:gbase.com.  432000  IN      CAA     0 issuewild “comodoca.com"
2017-10-17:gbase.com.  432000  IN      CAA     0 issue ";"
2017-10-17:gbase.com.  432000  IN      CAA     0 issuewild “comodoca.com"
2017-10-18:gbase.com.  432000  IN      CAA     0 issue ";"
2017-10-18:gbase.com.  432000  IN      CAA     0 issuewild “comodoca.com"
2017-10-19:gbase.com.  432000  IN      CAA     0 issue ";"
2017-10-19:gbase.com.  432000  IN      CAA     0 issuewild “comodoca.com” 



[1] https://groups.google.com/d/topic/mozilla.dev.security.policy/QpSVjzrj7T4/discussion
[2] https://groups.google.com/d/msg/mozilla.dev.security.policy/O9HZPMvHMY8/HtXR8S-1AAAJ
[3] https://misissued.com/batch/32/
[4] https://groups.google.com/d/msg/mozilla.dev.security.policy/O9HZPMvHMY8/KTPz90gJAwAJ
Assigning to Comodo rep.

Gerv
Assignee: kwilson → rob

Updated

a year ago
Whiteboard: [ca-compliance]
(Assignee)

Comment 2

a year ago
(In reply to Quirin Scheitle from comment #0)
<snip>
> The certificates in question are the following, of which Comodo has already
> confirmed numbers 1, 2, 3, and 4 as mis-issuances in [4]:

I realize my statement that "I agree that Comodo should not have issued certificates 1, 3, 4 and 5" [1] was based entirely on the evidence that Quirin provided, since (as I mentioned earlier today in [2]) we haven't retained full logs of our CAA checks back that far.  So, whilst it's certainly possible (perhaps even likely) that we saw the same CAA responses that Quirin saw, there's no proof that we did; therefore, I'm not sure whether or not it's reasonable to declare them to have been misissued.

Today I queried our logs (which date back to October 12th 06:08:51 UTC) to find all wildcard certificates where we added the "base domain" to the cert despite there being an "issue" property that did not authorize us.  I found the following 20 certificates (this includes certificates 5, 6 and 7 from comment #0):

https://crt.sh/?id=232809722
https://crt.sh/?id=234516423
https://crt.sh/?id=235359928
https://crt.sh/?id=245726101
https://crt.sh/?id=248180626
https://crt.sh/?id=250093069
https://crt.sh/?id=250171539
https://crt.sh/?id=250728458
https://crt.sh/?id=252699186
https://crt.sh/?id=257184785
https://crt.sh/?id=257276189
https://crt.sh/?id=257627856
https://crt.sh/?id=261922875
https://crt.sh/?id=262224197
https://crt.sh/?id=262245850
https://crt.sh/?id=268300594
https://crt.sh/?id=268300595
https://crt.sh/?id=268300596
https://crt.sh/?id=268300597
https://crt.sh/?id=268300598

Since these 20 were provably misissued, we will proceed to revoke and replace them.


[1] https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/O9HZPMvHMY8/KTPz90gJAwAJ

[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1420873#c15
(Reporter)

Comment 3

a year ago
(In reply to Rob Stradling from comment #2)
> (In reply to Quirin Scheitle from comment #0)
> <snip>
> > The certificates in question are the following, of which Comodo has already
> > confirmed numbers 1, 2, 3, and 4 as mis-issuances in [4]:
> 
> I realize my statement that "I agree that Comodo should not have issued
> certificates 1, 3, 4 and 5" [1] was based entirely on the evidence that
> Quirin provided, since (as I mentioned earlier today in [2]) we haven't
> retained full logs of our CAA checks back that far.  So, whilst it's
> certainly possible (perhaps even likely) that we saw the same CAA responses
> that Quirin saw, there's no proof that we did; therefore, I'm not sure
> whether or not it's reasonable to declare them to have been misissued.
> 
Hi Rob, 

I agree. As I said elsewhere, the purpose of the exercise was to fix holes in CAA validation related to such a CAA configuration. 
I am happy to see that this is is fixed and you took care of these certificates where you have proof. 

From my point of view, taking any action on [1-4] without evidence does not make sense. 
And my lookups are merely hints for cases where something *might* have gone wrong, not evidence. 

Kind regards
Quirin
(Assignee)

Comment 4

a year ago
I'm tracking the revocation status of the 20 certs identified in comment #2 at https://misissued.com/batch/35/.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(In reply to Rob Stradling from comment #2)
> Today I queried our logs (which date back to October 12th 06:08:51 UTC) to
> find all wildcard certificates where we added the "base domain" to the cert
> despite there being an "issue" property that did not authorize us.

Is my memory faulty, or did we have a discussion on m.d.s.p. where you pointed out that due to the requirement to use the 10 Blessed Methods (from July), adding in the base domain without a full set of checks was no longer permitted?

What checks other than CAA did this codepath avoid? Have you disabled this codepath entirely, or just added CAA to it?

Gerv
(Assignee)

Comment 6

a year ago
(In reply to Gervase Markham [:gerv] from comment #5)
> (In reply to Rob Stradling from comment #2)
> > Today I queried our logs (which date back to October 12th 06:08:51 UTC) to
> > find all wildcard certificates where we added the "base domain" to the cert
> > despite there being an "issue" property that did not authorize us.
> 
> Is my memory faulty, or did we have a discussion on m.d.s.p. where you
> pointed out that due to the requirement to use the 10 Blessed Methods (from
> July), adding in the base domain without a full set of checks was no longer
> permitted?

Hi Gerv.  Your memory is not faulty.

> What checks other than CAA did this codepath avoid?

None.

> Have you disabled this codepath entirely, or just added CAA to it?

We just added CAA to it, since that was the thing that was lacking.

Domain control validation was performed correctly for all of the dNSNames in the 20 certificates listed in comment #2.
(In reply to Rob Stradling from comment #6)
> Hi Gerv.  Your memory is not faulty.

Ohkay... Could we then please have an incident report on the issue of how this continued to be part of Comodo's offering past July?

Gerv
(Assignee)

Comment 8

a year ago
(In reply to Gervase Markham [:gerv] from comment #7)
> (In reply to Rob Stradling from comment #6)
> > Hi Gerv.  Your memory is not faulty.
> 
> Ohkay... Could we then please have an incident report on the issue of how
> this continued to be part of Comodo's offering past July?

Gerv,

I don't understand which "this" you believe "continued to be part of Comodo's offering past July" and warrants a new incident report.

We revisited Comodo's historic domain control validation practices on m.d.s.p recently [1]:

> It was *formerly* Comodo's practice to...
>   "consider proof of control of 'www.<base_domain>' as also proving
>    control of '<base_domain>' (except where '<base_domain>' is a public
>    suffix)"

Since July, "any other method" of Domain Control Validation has no longer been permitted, and it is our view that our *former* practice, described above, is not permitted by any of the 10 Blessed Methods.  Whilst we haven't stopped our practice of adding a SAN.dNSName for <base_domain> when the certificate request is for www.<base_domain>, *we have performed Domain Control Validation on all SAN.dNSNames added in this way* since July.

This bug discusses a flaw in our CAA checking.  The bug was fixed on 17th November, and we have already posted an incident report [2].  This bug was entirely unrelated to our Domain Control Validation code.

In our system, CAA checking and Domain Control Validation are separate code components.  Domain Control Validation must be successfully completed for every SAN.dNSName associated with a certificate request before CAA checking is attempted for any of those SAN.dNSNames.


[1] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg08556.html

[2] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg08549.html
Ah, yes, sorry. All is clear now.

We will keep this bug open at least until https://misissued.com/batch/35/ lists all as revoked.

Gerv
(Assignee)

Comment 10

a year ago
Hi Gerv.  All 20 certs listed at https://misissued.com/batch/35/ have now been revoked.
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.