Closed
Bug 1420873
Opened 7 years ago
Closed 7 years ago
Comodo/cPanel: Potential Mis-Issuance based on CAA records (Sep 28, 2017)
Categories
(CA Program :: CA Certificate Compliance, task)
CA Program
CA Certificate Compliance
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: quirin, Assigned: rob, Mentored)
Details
(Whiteboard: [ca-compliance])
Attachments
(1 file)
|
1.23 KB,
application/x-x509-ca-cert
|
Details |
As per Gerv's request, I am filing individual bugs for [1] -- please confer to [1] for a full background. In the 2 cases below Comodo/cPanel seems to not have validated CAA records - please find our record of CAA data for that domain below. Please note that this is well past the initial issues that Comodo faced up to Sep 12, 2017 (see Bug 1398545). [1] https://groups.google.com/d/topic/mozilla.dev.security.policy/QpSVjzrj7T4/discussion [2] Batch: https://misissued.com/batch/33/ ======= Certificate 17 - Group 4 ======= https://crt.sh/?id=255113449 X509v3 Subject Alternative Name: DNS:*.bankvrn.ru DNS:bankvrn.ru Issuer: Comodo DNS history(Issued Sep 28) 2017-09-27:bankvrn.ru. 3600 IN CAA 0 issue "geotrust.com" 2017-09-27:bankvrn.ru. 3600 IN CAA 0 issue "letsencrypt.org" 2017-09-27:bankvrn.ru. 3600 IN CAA 0 issue "thawte.com" 2017-09-27:bankvrn.ru. 3600 IN CAA 0 issue "wosign.com" 2017-09-27:bankvrn.ru. 3600 IN CAA 0 issuewild “;" 2017-09-28:bankvrn.ru. 3600 IN CAA 0 issue "letsencrypt.org" 2017-09-28:bankvrn.ru. 3600 IN CAA 0 issue "wosign.com" 2017-09-28:bankvrn.ru. 3600 IN CAA 0 issue "thawte.com" 2017-09-28:bankvrn.ru. 3600 IN CAA 0 issue “geotrust.com" 2017-09-28:bankvrn.ru. 3600 IN CAA 0 issuewild ";" 2017-09-29:bankvrn.ru. 3600 IN CAA 0 issue "thawte.com" 2017-09-29:bankvrn.ru. 3600 IN CAA 0 issue "letsencrypt.org" 2017-09-29:bankvrn.ru. 3600 IN CAA 0 issue "geotrust.com" 2017-09-29:bankvrn.ru. 3600 IN CAA 0 issue "wosign.com" 2017-09-29:bankvrn.ru. 3600 IN CAA 0 issuewild ";" ======== Certificate 18 - Group 4 ======= https://crt.sh/?id=252132456 X509v3 Subject Alternative Name: DNS:mc21colombia.com DNS:www.mc21colombia.com Issuer: cPanel (-> Comodo) DNS history (Issued Oct 17): 2017-10-14:mc21colombia.com. 3600 IN CAA 0 issuewild "digicert.com" 2017-10-15:mc21colombia.com. 3600 IN CAA 0 issuewild "digicert.com" 2017-10-17:mc21colombia.com. 3600 IN CAA 0 issuewild "digicert.com" 2017-10-18:mc21colombia.com. 300 IN CAA 0 issuewild "digicert.com" 2017-10-18:mc21colombia.com. 300 IN CAA 0 issue "digicert.com" 2017-10-19:mc21colombia.com. 300 IN CAA 0 issue "digicert.com" 2017-10-19:mc21colombia.com. 300 IN CAA 0 issuewild "digicert.com" 2017-10-20:mc21colombia.com. 300 IN CAA 0 issue "digicert.com" 2017-10-20:mc21colombia.com. 300 IN CAA 0 issuewild "digicert.com" 2017-10-21:mc21colombia.com. 300 IN CAA 0 issuewild "digicert.com" 2017-10-21:mc21colombia.com. 300 IN CAA 0 issue "digicert.com" 2017-10-22:mc21colombia.com. 300 IN CAA 0 issuewild "digicert.com" 2017-10-22:mc21colombia.com. 300 IN CAA 0 issue “digicert.com"
Just to add to this, I have also had a misissuance today involving cPanel/Comodo. Issued to web-seo.prod.ext.cuvva.co Serial number: 00 D9 E5 BC 34 B0 89 A1 F5 A3 73 83 B1 93 E5 14 7F SHA1 hash: 78 45 20 2B 7F E2 F8 DE 11 40 93 62 4C E9 A8 D9 98 81 2E 50 Unfortunately doesn't seem to be in the CT logs, so can't link the crt.sh page. cuvva.co CAA record set to: cuvva.co. 21599 IN CAA 0 iodef "mailto:security@cuvva.com" cuvva.co. 21599 IN CAA 0 issue "amazon.com" cuvva.co. 21599 IN CAA 0 issuewild "amazon.com" No CAA records on web-seo.prod.ext.cuvva.co, prod.ext.cuvva.co or ext.cuvva.co. No email received in relation to the misissuance.
|
||
Comment 4•7 years ago
|
||
(In reply to james from comment #2) > Just to add to this, I have also had a misissuance today involving > > Unfortunately doesn't seem to be in the CT logs, so can't link the crt.sh > page. I submitted it to a few CT logs: https://crt.sh/?id=266205228
Much appreciated Added here also: https://misissued.com/batch/34/
And this is the intermediate: https://crt.sh/?id=12715889
|
Reporter | |
Comment 7•7 years ago
|
||
Just to confirm as a third party, we have observed the above-mentioned CAA set (issue and issuewild amazon.com) for cuvva.co since Nov 10 on all its name servers. Precise timestamps (excluding before 11-26): 2017-11-26 10:32 UTC 2017-11-26 18:32 UTC 2017-11-27 02:33 UTC 2017-11-27 10:34 UTC 2017-11-27 18:33 UTC 2017-11-28 02:33 UTC 2017-11-28 10:33 UTC 2017-11-28 18:33 UTC We don't have data for the subdomains.
|
||
Updated•7 years ago
|
Whiteboard: [ca-compliance]
|
Assignee | |
Comment 8•7 years ago
|
||
For Certificate 18 (https://crt.sh/?id=252132456), we performed a CAA query for mc21colombia.com at 2017-10-18 13:59:21 UTC and received this response: ;; opcode: QUERY, status: NOERROR ;; flags: qr rd ra; ;; QUESTION SECTION: ;mc21colombia.com. IN CAA ;; ANSWER SECTION: mc21colombia.com. IN CAA 0 issuewild "digicert.com" ;; ADDITIONAL SECTION: ;; OPT PSEUDOSECTION: ; EDNS: version 0; flags: do; udp: 4096 Since there was no "issue" property in this CAA response, we consider this report to be a false positive.
|
||
Comment 9•7 years ago
|
||
Quirin: actually, that's the same as what you saw. Why did you file a report on cert 18 when, in fact, the CAA records on the date of issuance were entirely consistent with Comodo issuing a cert? Gerv
|
|
Assignee | |
Comment 10•7 years ago
|
||
Gerv, Quirin saw: 2017-10-18:mc21colombia.com. 300 IN CAA 0 issuewild "digicert.com" 2017-10-18:mc21colombia.com. 300 IN CAA 0 issue "digicert.com" If we'd seen that, it would have counted as a misissuance. (But we didn't, so it wasn't).
|
|
||
Comment 11•7 years ago
|
||
The notes above say that the cert was issued on the 17th, when he saw: 2017-10-17:mc21colombia.com. 3600 IN CAA 0 issuewild "digicert.com" Gerv
|
||
Comment 12•7 years ago
|
||
If it was issued on the 17th, why are the first entries into the CT logs on the 11th?
|
|
Assignee | |
Comment 13•7 years ago
|
||
Gerv, The TBSCertificate for https://crt.sh/?id=252132456 was generated at precisely 14:59:24 UTC on the 18th October, according to our logs. Quirin's note (alleging issuance on the 17th October) is incorrect. James, There are no entries in any CT logs until the 11th November simply because nobody logged this certificate until then.
|
|
Reporter | |
Comment 14•7 years ago
|
||
Hi,
thank you for the discussion.
Per Gerv's question, I mistyped the "DNS history (Issued Oct 17):" string. It should have said Oct 18, on which, as per Rob's comment, we saw the below records which would not have permitted Comodo to issue non-wild.
> 2017-10-18:mc21colombia.com. 300 IN CAA 0 issuewild "digicert.com"
> 2017-10-18:mc21colombia.com. 300 IN CAA 0 issue "digicert.com"
However, our scan occurred past their issuance timestamp.
I am happy to accept Rob's evidence to label this a false positive.
This was a very close call on whether to report it or not, as the restrictive record was not set for several days before the issuance time.
In hindsight, this should not have been reported as it had a high false positive chance. My apologies.
As to James's question: The certificate was created on *Oct* 18, but logged on *Nov* 11.|
|
||
Updated•7 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
|
|
Assignee | |
Comment 15•7 years ago
|
||
For Certificate 17 (https://crt.sh/?id=255113449): I'm afraid we've only retained full logs of all our CAA checks back to October 12th 06:08:51 UTC, so unfortunately I'm unable to comment on what CAA response(s) we relied on to issue this certificate. However, this is the most recent certificate we've issued to this domain (https://crt.sh/?q=%25bankvrn.ru shows them all), and a live CAA lookup just now (see below) shows that Comodo are currently authorized to issue. Would it be unreasonable to speculate that the domain owner configured this most recent CAA record set in advance of requesting this most recent certificate? > dig CAA +dnssec bankvrn.ru ; <<>> DiG 9.11.1-P3 <<>> CAA +dnssec bankvrn.ru ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56731 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;bankvrn.ru. IN CAA ;; ANSWER SECTION: bankvrn.ru. 3593 IN CAA 0 issue "letsencrypt.org" bankvrn.ru. 3593 IN CAA 0 issuewild "comodoca.com" bankvrn.ru. 3593 IN CAA 0 issue "comodoca.com" bankvrn.ru. 3593 IN RRSIG CAA 8 2 3600 20171227010801 20171129010801 11331 bankvrn.ru. M5BFYMT08T0qt5LYKP4SeVwUIENt2byGH3lxg5PCrl1eb98W6SeUsZ3N DNDWKo0miRc/Qp/LLEzg9t6irdvIdJ2agVC8cachJUF+ANVybOpFmtkE 1Tq9biZeRLlviNRKI3Woglh0k9CUS4Xiy9kdAkCth4YsQgl9gYznfqu2 yRg= ;; Query time: 0 msec ;; SERVER: 192.168.0.203#53(192.168.0.203) ;; WHEN: Fri Dec 01 14:46:19 GMT 2017 ;; MSG SIZE rcvd: 309
|
|
||
Comment 16•7 years ago
|
||
Hang on, this should still be kept open - the issue highlighted on the cuvva.co domain was first hand. I saw it happen in person.
|
|
Assignee | |
Comment 17•7 years ago
|
||
(In reply to james from comment #2) > Just to add to this, I have also had a misissuance today involving > cPanel/Comodo. > > Issued to web-seo.prod.ext.cuvva.co <snip> James, thanks for reporting this. I've looked at our logs for this certificate and discovered a new bug, which I think would be best tracked in a new Bugzilla issue. Feel free to file one if you want. If not, I'll file one later.
|
|
Reporter | |
Comment 18•7 years ago
|
||
(In reply to Rob Stradling from comment #15) > For Certificate 17 (https://crt.sh/?id=255113449): > > I'm afraid we've only retained full logs of all our CAA checks back to > October 12th 06:08:51 UTC, so unfortunately I'm unable to comment on what > CAA response(s) we relied on to issue this certificate. > > However, this is the most recent certificate we've issued to this domain > (https://crt.sh/?q=%25bankvrn.ru shows them all), and a live CAA lookup just > now (see below) shows that Comodo are currently authorized to issue. Would > it be unreasonable to speculate that the domain owner configured this most > recent CAA record set in advance of requesting this most recent certificate? > Hi, the purpose of this exercise was mainly to help in finding and fixing potential flaws in CAA validation using these examples. If you are confident that the above configuration would not have caused such an anomaly, I don't see much of a point in chasing down this specific example. I would close this as "can't tell", then. Kind regards Quirin -- As a record of data, and to possibly learn for the future, we did see the Comodo-excluding issue set stable from Sep 15 through Oct 4. Starting on 2017-10-05 08:41:55, we did see the change to the now persisting issue set including Comodo. If we look at SOA Serial changes for the zone, we see no change on Sep 28: (before) -- 2017092001 2017-09-27 00:30:02 -- 2017092701 2017-10-04 00:41:11 -- 2017100401 2017-10-05 08:41:50 -- 2017100501 So, there is no zone update signaled on Sep 28, but the zone usually updates their serials when changing the zone files. However, the zone may have changed without a serial update, or you may have received a different reply as part of a split-horizon setup.
|
|
Assignee | |
Comment 19•7 years ago
|
||
(In reply to Rob Stradling from comment #17) > (In reply to james from comment #2) > > Just to add to this, I have also had a misissuance today involving > > cPanel/Comodo. > > > > Issued to web-seo.prod.ext.cuvva.co > <snip> > > James, thanks for reporting this. I've looked at our logs for this > certificate and discovered a new bug, which I think would be best tracked in > a new Bugzilla issue. Feel free to file one if you want. If not, I'll file > one later. James, I've just posted an incident report for this misissuance to bug #1423624.
|
||
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•