GoDaddy: Failure to revoke key-compromised certificates within 24 hours
Categories
(CA Program :: CA Certificate Compliance, task)
Tracking
(Not tracked)
People
(Reporter: mpalmer, Assigned: jfox)
Details
(Whiteboard: [ca-compliance] [leaf-revocation-delay])
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.75 Safari/537.36
Steps to reproduce:
Between 2020-04-30 00:30:08 and 2020-05-11 05:38:13 (all times UTC), a total of five certificate problem reports were sent to practices@starfieldtech.com, stating that a private key had been compromised, and requesting revocation of all certificates issued by GoDaddy using the specified SPKI be revoked. The URL of a CSR attesting to the compromise of the private key, signed by the compromised private key, was provided in each case.
The delivery time, SPKI, and MX server (with IP address) for each report are as follows:
2020-04-30 00:30:08 e225cc93fb604eb10131b080c82abc711e0b6bad142f64165dcd2dfbb8f5f4b5 smtp.secureserver.net (68.178.213.203)
2020-05-07 10:44:58 808bb0fd8a818058a1415bcc70eced21fdf51f836c663c64ecf7b52afc5489fc smtp.secureserver.net (68.178.213.203)
2020-05-07 10:45:01 f135326c83b33189303c961b1c6e97d71e3b7b44e15c8c20a811a40e328e762b smtp.secureserver.net (68.178.213.203)
2020-05-08 13:38:48 e924e18120d68f40e43e51fbd44fdb6d9879f395f7b3e783b5bf0b79a73f7ddd smtp.secureserver.net (68.178.213.203)
2020-05-11 05:38:13 d38d0323a5ed0355973b5b34922f0e2670e30e34c384e5846b4f88c77eb1f008 smtp.secureserver.net (68.178.213.37)
Actual results:
In each case, one or more certificates for each SPKI were not revoked within 24 hours of the certificate problem report being received (based on the revocation timestamp recorded in a validly signed OCSP response). The sent time, revocation time, and time taken to revoke are given below.
2020-04-30 00:30:08 2020-05-01 00:30:19 (1 day 00:00:10)
2020-05-07 10:44:58 2020-05-08 14:32:19 (1 day 03:47:20)
2020-05-07 10:45:01 2020-05-08 14:55:25 (1 day 04:10:23)
2020-05-08 13:38:48 2020-05-09 16:45:31 (1 day 03:06:42)
2020-05-11 05:38:13 2020-05-12 14:05:18 (1 day 08:27:04)
Expected results:
All certificates to have been revoked within 24 hours of the problem report being received.
|
||
Updated•5 years ago
|
Addendum: a further eight certificate problem reports for key compromise have failed to result in revocation within 24 hours.
sent_at | email_address | spki_fingerprint | time_taken_to_revoke
----------------------------+-----------------------------+--------------------------------------------------------------------+--------------------------
2020-05-20 06:57:55.69718 | practices@starfieldtech.com | a9cb4e025f67e96ab09eef3ad2fcca117eb4d49fd66dc07b543f0bca22af0aca | 1 day 11:23:11.30282
2020-05-20 06:58:08.300582 | practices@starfieldtech.com | 22cc99aa654590de2b1761d8b7ca67726e3ffb36878e701765a454b8d0a0d10c | 1 day 11:04:54.699418
2020-05-20 06:59:38.634332 | practices@starfieldtech.com | bfd234968c72ff12847b30cc6183023809b6768df67e939d34852dc196949f23 | 1 day 11:26:57.365668
2020-05-20 06:59:52.102874 | practices@starfieldtech.com | 510499fbc78ae4ee9a9ddb96ada7e6885070e1adf3809cddb3a96ef5f4aa78c2 | 1 day 11:25:38.897126
2020-05-20 07:00:02.335614 | practices@starfieldtech.com | f11db7fccbf5125bcc832df008a4d1b9f3dc43e19e06dbe9282bdf038629fe1e | 1 day 10:26:27.664386
2020-05-20 07:01:59.72384 | practices@starfieldtech.com | f29f3244cb2128870d7e023e1bbdd7c82e3c7798eaaf1e348ab1bf05721e8c48 | 1 day 09:53:17.27616
2020-05-20 07:03:28.162462 | practices@starfieldtech.com | 744699dc3994a5eb77dcb1a9b6d73252cb9b9f94ff4dcc0ecadb6b7d3b9378f7 | 1 day 09:32:53.837538
2020-05-20 07:03:36.827765 | practices@starfieldtech.com | 8513e9d05053d2646f3bc9095974e0b1fcc564b9dab633edd81e7841662b745d | 1 day 09:08:38.172235
sent_at is the UTC time at which an MX record for starfieldtech.com accepted the notification e-mail for delivery; email_address and spki_fingerprint are, hopefully, self-explanatory, while time_taken_to_revoke is the difference between the sent_at (or certificate issuance time, if later) and the revocation timestamp provided in a validly signed OCSP response.
|
||
Comment 2•5 years ago
|
||
We have opened another incident related to this issue, please follow it here: https://bugzilla.mozilla.org/show_bug.cgi?id=1640310
Additionally we ask this Bug to be closed as it is currently being addressed in the incident above.
|
|
||
Comment 4•5 years ago
|
||
(In reply to Ryan Sleevi from comment #3)
I can’t seem to find that bug.
Let me try this again:
https://bugzilla.mozilla.org/show_bug.cgi?id=1640310
|
||
Comment 5•5 years ago
|
||
Matt: This seems to be the same root issue. Have I overlooked anything?
I can't speak to what the root issue is or whether they are the same. The incident report in the linked bug doesn't mention any of the certificates listed in this bug, nor does any followup comment on the linked bug enumerate them all. If GoDaddy were to issue an incident report fully detailing the certificates covered, with appropriate root causes, et al, then presumably one of the two bugs would be surplus to requirements.
|
|
||
Comment 7•5 years ago
|
||
Matt,
We have disclosed all 13 certificates you mentioned here in the bug stated above. Also, after an extensive investigation we rooted the cause as the same as the one in the bug we have open. Please let me know if there is anything else you would like to be disclosed in the other bug so we can combine both.
We appreciate your time and input on the matter.
|
|
||
Updated•5 years ago
|
|
||
Updated•3 years ago
|
|
||
Updated•2 years ago
|
Description
•