Closed Bug 1524875 Opened 5 years ago Closed 5 years ago

DigiCert: IP in dnsName

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jonathan, Assigned: brenda.bernal)

Details

(Whiteboard: [ca-compliance] [leaf-revocation-delay])

DigiCert issued the following certificates with invalid dnsNames containing IP addresses (there are more that expired without being revoked, I just pulled the ones that were still valid/unrevoked and logged to CT at the time of my query). It looks like they stopped issuing these invalid certificates in 2017, but they did not revoke them, provide an incident report, or explain their decision to let them expire instead of revoking when they stopped this practice.

I notified them at 2019-01-29 17:43 UTC and received confirmation the same day that they were investigating. All of the reported certificates were revoked over the next few days.

https://crt.sh/?opt=zlint&id=12583780
https://crt.sh/?opt=zlint&id=12612205
https://crt.sh/?opt=zlint&id=13281036
https://crt.sh/?opt=zlint&id=15151907
https://crt.sh/?opt=zlint&id=15788318
https://crt.sh/?opt=zlint&id=15788321
https://crt.sh/?opt=zlint&id=17493965
https://crt.sh/?opt=zlint&id=23794832
https://crt.sh/?opt=zlint&id=29702007
https://crt.sh/?opt=zlint&id=35134000
https://crt.sh/?opt=zlint&id=35134009
https://crt.sh/?opt=zlint&id=35134018
https://crt.sh/?opt=zlint&id=35658945
https://crt.sh/?opt=zlint&id=35658952
https://crt.sh/?opt=zlint&id=36640583
https://crt.sh/?opt=zlint&id=40857649
https://crt.sh/?opt=zlint&id=41830097
https://crt.sh/?opt=zlint&id=42064583
https://crt.sh/?opt=zlint&id=42306024
https://crt.sh/?opt=zlint&id=42573253
https://crt.sh/?opt=zlint&id=45054336
https://crt.sh/?opt=zlint&id=48271667
https://crt.sh/?opt=zlint&id=51755563
https://crt.sh/?opt=zlint&id=63173885
https://crt.sh/?opt=zlint&id=63173879
https://crt.sh/?opt=zlint&id=63192689
https://crt.sh/?opt=zlint&id=79654336
https://crt.sh/?opt=zlint&id=80246228
https://crt.sh/?opt=zlint&id=80494957
https://crt.sh/?opt=zlint&id=83795007
https://crt.sh/?opt=zlint&id=86826792
https://crt.sh/?opt=zlint&id=92696130
https://crt.sh/?opt=zlint&id=92696126
https://crt.sh/?opt=zlint&id=92696127
https://crt.sh/?opt=zlint&id=97192145
https://crt.sh/?opt=zlint&id=102506442
https://crt.sh/?opt=zlint&id=103169070
https://crt.sh/?opt=zlint&id=105622453
https://crt.sh/?opt=zlint&id=108174807
https://crt.sh/?opt=zlint&id=108236126
https://crt.sh/?opt=zlint&id=108236129
https://crt.sh/?opt=zlint&id=108236130
https://crt.sh/?opt=zlint&id=108236137
https://crt.sh/?opt=zlint&id=187235270
https://crt.sh/?opt=zlint&id=209568012
https://crt.sh/?opt=zlint&id=282634648
https://crt.sh/?opt=zlint&id=282634711
https://crt.sh/?opt=zlint&id=282634738
https://crt.sh/?opt=zlint&id=282638252
https://crt.sh/?opt=zlint&id=282638239
https://crt.sh/?opt=zlint&id=282640346
https://crt.sh/?opt=zlint&id=282645912
https://crt.sh/?opt=zlint&id=282652940
https://crt.sh/?opt=zlint&id=282903464
https://crt.sh/?opt=zlint&id=282903948
https://crt.sh/?opt=zlint&id=282909241
https://crt.sh/?opt=zlint&id=804513002

Assignee: wthayer → brenda.bernal
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
QA Contact: kwilson → wthayer
Whiteboard: [ca-compliance]

This incident report documents both set of certificates related to Digicert’s and CyberTrust Japan’s issuances of IP address in SAN DNS that was reported.

1.How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

Cybertrust Japan (CTJ) had issued certificate with IP address in SAN DNS until April 6,2017 and have not revoked the certificates.

CTJ - Notification from DigiCert.

DigiCert – We were notified via a problem report on our alias revoke@digicert.com on Tues Jan 29, 2019 at 10:44 am MT. We acknowledged receipt of the report within 1 hour at 11:44 am MT.

2.A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

CTJ report (All times are JST)

January 30, 2019, 08:41 - Our point of contact received notification from our root CA of DigiCert

January 30, 2019, 09:07 - Reported to PA at CTJ that we would start investigation

January 30, 2019, 09:46 - Confirmed DigiCert that we acknowledged the notification

January 30, 2019, 10:40 - Scanning and identifying the affected certificates completed. Also, started making customer contact list and announcement of this issue to customers

January 30, 2019, 13:00 - PA approved the content of announcement. Sales team and support team were trained about how to proceed this issue. Started contacting the customers

January 30, 2019, 18:37 - Contacting all the customer completed

February 3, 2019, 23:14 - All of the certificates were revoked

Digicert: Confirmed the cert issues immediately on January 29, 2019 by no later than 1:00pm MT.
The plan to revoke DigiCert certs was put in motion by January 30, 2019 – notifying customers with a deadline for revocation of Friday, February 1, 2019 @ 5pm MT.

3.Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

CTJ has stopped issuing certificates on April 6,2017 when we patched our systems not to include IP address in SAN DNS Name field.

DigiCert’s system block was implemented in April 2016 to not allow IP addresses in the DNS SANs. However, we did not sweep the system of existing certs with this condition to enact revocation. We have since completed a comprehensive sweep (see 5 below).

4.A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
DigiCert:

There was a total of 57 in the report with duplicates (leaf and pre-certificates). 6 certs were issued by Digicert in total, excluding the duplicates and CTJ issued certificates (details below). For Digicert, the first issuance was in November 2015. The last certificate was issued in March 2016.

CTJ:
Number of the affected and active certificates is 36. Last certificate was issued on March 24,2017. First certificate was issued since BR was established. DigiCert reported us the number was 51 when they contacted us as mentioned in section 2 of timeline in this report. By scanning our issuance records by ourselves which is also addressed in section 2, we figured out that some among 51 are double-counted (precert and leaf cert) and were already expired. Furthermore, we found out few certificates were missing from 51 but must be revoked. These few certificates had been issued before Certificate Transparency was introduced so that they could not be find out by searching crt.sh. We added them to CT log server therefore.

5.The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
Below is list of the certificates (from CTJ)
https://crt.sh/?id=282638252
https://crt.sh/?id=282909241
https://crt.sh/?id=1158538055
https://crt.sh/?id=1158538370
https://crt.sh/?id=1158538443
https://crt.sh/?id=42573253
https://crt.sh/?id=105622453
https://crt.sh/?id=1158538107
https://crt.sh/?id=41830097
https://crt.sh/?id=1158538448
https://crt.sh/?id=282638239
https://crt.sh/?id=1158538555
https://crt.sh/?id=1163855299
https://crt.sh/?id=282640346
https://crt.sh/?id=804513002
https://crt.sh/?id=1158538336
https://crt.sh/?id=1158538334
https://crt.sh/?id=282634648
https://crt.sh/?id=1158538379
https://crt.sh/?id=1158538338
https://crt.sh/?id=45054336
https://crt.sh/?id=1158540224
https://crt.sh/?id=1158538343
https://crt.sh/?id=282903464
https://crt.sh/?id=1158538551
https://crt.sh/?id=282634738
https://crt.sh/?id=1158539115
https://crt.sh/?id=1158538359
https://crt.sh/?id=1158349181
https://crt.sh/?id=1158350686
https://crt.sh/?id=1158538550
https://crt.sh/?id=1158538425
https://crt.sh/?id=282634711
https://crt.sh/?id=1158349171
https://crt.sh/?id=282652940
https://crt.sh/?id=209568012

Digicert-issued:
https://crt.sh/?opt=zlint&id=12583780&opt=ocsp,zlint
https://crt.sh/?opt=zlint&id=12612205&opt=ocsp,zlint
https://crt.sh/?opt=zlint&id=42064583&opt=ocsp,zlint
https://crt.sh/?opt=zlint&id=187235270&opt=ocsp,zlint
https://crt.sh/?opt=zlint&id=282645912&opt=ocsp,zlint
https://crt.sh/?opt=zlint&id=282903948&opt=ocsp,zlint

Additionally, we ran a report across our database of active certificates and found 9 additional with this problem on Friday, February 1, 2019. We are revoking those within 5 days (no later than Tues, February 6). We will post the crt.sh links as soon as we complete the revocations.

6.Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

DigiCert:

The problem report allowed our management to review the matter and to decide that the existing certificates needed to be revoked. These type of certificates were disallowed by our system since April 2016 but we did not revoke previously issued.

CTJ:

We have acknowledged adding IP address to SAN DNS Name is prohibited in principle. However, we were thinking at same time that this practice was allowed for legacy browser implementations.

On April 2017, we patched our system to cease the practice because we thought browsers all became capable of handling SAN = IP address field. We had not realized necessity of revoking the certificates that were issued in the past retrospectively until DigiCert corrected us.

7.List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

CTJ:
We patched our system to prevent issuing certificate with IP address in SAN DNS on April 6,2017. In addition, we added pre-issuance linting to our system on March 30, 2018.

DigiCert:
We stopped issuing these types of certificates in April 2016. We run a pre-issuance zlint that would catch these instances in case our patch from 2016 for blocking these certificates is altered.

Hi Wayne, do you need any further update on this bug for resolution?

It appears that remediation is complete.

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [leaf-revocation-delay]
You need to log in before you can comment on or make changes to this bug.