Closed Bug 1572287 Opened 5 years ago Closed 5 years ago

Add attacker-controlled google.tg certificates to OneCRL

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: wthayer, Assigned: wthayer)

References

Details

(Keywords: sec-other)

Attachments

(2 files)

google.tg.crt
2.26 KB, application/x-x509-ca-cert
Details
amazon.tg.crt
2.26 KB, application/x-x509-ca-cert
Details
Attached file google.tg.crt

The following (and attached) certificate has been reported as misissued and should be added to OneCRL: https://crt.sh/?id=1743697773

This appears to be a .tg ccTLD compromise related to 1414039 and https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/4kj8Jeem0EU/Lmvw98EqBgAJ

Group: crypto-core-security

Ryan, Are you point from Google on this? If yes, any further mis-issued *.tg certs identified?
I recall that last time the *.tg registry was compromised it was for a period of time and affected multiple CAs.

Flags: needinfo?(ryan.sleevi)

I haven’t done any deep dives for any other sites yet, but I expect it’s going to be a similar story.

Flags: needinfo?(ryan.sleevi)

Adding the issuing CA for the currently known cert, so they can provide their findings, especially if additional certs should be added to OneCRL.

Keywords: sec-other
Flags: needinfo?(Robin.Alden)

s/misissued/attacker-controlled/, to use the same language as bug 1414039. Sectigo/cPanel did not misissue this certificate. The BRs and Mozilla Root Store Policy only require CAs to prove domain control, not ownership. Before issuing this certificate, Sectigo validated domain control and encountered an empty CAA RRset.

Summary: Add misissued google.tg certificates to OneCRL → Add attacker-controlled google.tg certificates to OneCRL

Rob, Is Sectigo going to revoke this cert? Has Sectigo reached out to *.tg registry to see if they are having a problem?

Flags: needinfo?(Robin.Alden)

Rob - thank you for confirming that this is not a misissuance. I would also like to know if Sectigo has checked to see if any other questionable .tg certs were issued recently.

Kathleen,
We have revoked https://crt.sh/?id=1743697773

We have reached out to the .tg registry using the contact details from https://www.iana.org/domains/root/db/tg.html, we do not yet have any information to report.

Wayne,
We have checked, but are continuing to check further.
I have prepared a list of all the .tg domains that we included in TLS certificates from 01-August to date. It is here:
https://docs.google.com/spreadsheets/d/1oE8FkZImbhgwuKwvTaX0t8v-ITxztZQ5s3xmpO5PR34/edit?usp=sharing

The amazon.tg certificate looks questionable, and we have reached out to Trev @ Amazon who will check whether it was ordered by them. Jonathan Rudenberg also kindly alerted us specifically to the Amazon.tg certificate.

A ramco.tg certificate also looks questionable, as it shares a pattern with the above two. Ramco.com is a global payroll firm, whereas Ramco.tg appears to be a supermarket chain in Togo.

The Amazon security team responded to our enquiry and we have revoked the amazon.tg certificate.

Attached file amazon.tg.crt

We'll also add the attached amazon.tg cert to OneCRL.

Depends on: 1575435

These two certificates are now in OneCRL

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Group: crypto-core-security → core-security-release
Group: core-security-release
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: