Camerfirma: Multicert SSL CA 001: Insufficient serial number entropy

ASSIGNED
Assigned to

Status

ASSIGNED
11 days ago
10 days ago

People

(Reporter: ca.forum, Assigned: ca.forum)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ca-compliance])

Attachments

(1 attachment)

(Assignee)

Description

11 days ago

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0

Steps to reproduce:

1. How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.
On 2019-03-11 09:00 WET, after reviewing ongoing discussions and incident reports published on mozilla.dev.security.policy about 64 bit entropy for serial number generation, we started investigating our systems for possible violation of BR v.1.6.3 §7.1.

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
2019-03-08 17:00 WET – identified relevant ongoing discussions on m.d.s.p and incident reports published.
2019-03-11 09:00 WET – started investigation whether the issue affected our systems.
2019-03-11 14:00 WET – conclusion of investigation is that certificates issued by our MULTICERT SSL Certification Authority 001 (MTC SSL CA 001) are affected by this issue, having only 63 bits of effective entropy. Development of fixes started immediately.
We are testing the fixes under the QA environment. Correction is planned to be deployed in production on 2019-03-12 at 13:00 WET.
We are carefully evaluating scenarios for the replacement of the certificates – in the last 4 months, all of our SSL customers have gone through at least one enforced certificate replacement (some of them have had 3 changes).

3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.
Certificate issuance was stopped after concluding that we were affected by the issue and will be resumed after the fix is rolled out in production.

4. A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.
All certificates issued from MTC SSL CA 001 (https://crt.sh/?caid=84368) are affected by this issue. There are currently a total of 924 active non expired certificates, issued between 2018-10-17 15:12 WET and 2019-03-11 12:45 WET.

5. The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.
We are attaching a CSV file to this report with the affected certificates.

6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
The issue is due to a flaw in the serial number generation algorithm that changes the leftmost bit to 0 to force the serial number to be positive.
The issue is undetectable by lint tools and can only be found by source code inspection or statistical tests (over a large population).

7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
Serial numbers size will be increased to include a minimum of 120 bits of entropy.

Assignee: wthayer → ca.forum
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: Multicert SSL CA 001: Insufficient serial number entropy → Camerfirma: Multicert SSL CA 001: Insufficient serial number entropy
Whiteboard: [ca-compliance]
(Assignee)

Comment 1

10 days ago

(In reply to ca.forum from comment #0)

2. A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.
2019-03-08 17:00 WET – identified relevant ongoing discussions on m.d.s.p and incident reports published.
2019-03-11 09:00 WET – started investigation whether the issue affected our systems.
2019-03-11 14:00 WET – conclusion of investigation is that certificates issued by our MULTICERT SSL Certification Authority 001 (MTC SSL CA 001) are affected by this issue, having only 63 bits of effective entropy. Development of fixes started immediately.
We are testing the fixes under the QA environment. Correction is planned to be deployed in production on 2019-03-12 at 13:00 WET.

2019-03-12 13:09 WET - the fix was deployed in production and certificate issuance was resumed.

We are carefully evaluating scenarios for the replacement of the certificates – in the last 4 months, all of our SSL customers have gone through at least one enforced certificate replacement (some of them have had 3 changes).

You need to log in before you can comment on or make changes to this bug.