Closed Bug 1668005 Opened 4 years ago Closed 4 years ago

GlobalSign: Failure to provide a preliminary report within 24 hours

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: arvid.vermote, Assigned: arvid.vermote)

Details

(Whiteboard: [ca-compliance] [disclosure-failure])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

We received a certificate problem report on 25/09/2020 20:55 BST and 21:37 BST, which were only acknowledged 27/09/2020 20:54 BST, exceeding the 24 hours as required by the Baseline Requirements #4.9.5.

We will provide a full incident report by Friday October 2.

Assignee: bwilson → arvid.vermote
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance]

How your CA first became aware of the problem (e.g. via a problem report submitted to your Problem Reporting Mechanism, a discussion in mozilla.dev.security.policy, a Bugzilla bug, or internal self-audit), and the time and date.

On 25/09/2020 at 19:55 UTC and 20:37 UTC two cases regarding misissuance were raised to the GlobalSign report-abuse email address. Support notified the Compliance team of this on 26/09/2020 at 05:47 UTC. Compliance team acknowledged the report to the reporter on 27/09/2020 at 19:54 UTC. This exceeded the 24 hours as required by the Baseline Requirements #4.9.5.

A timeline of the actions your CA took in response. A timeline is a date-and-time-stamped sequence of all relevant events. This may include events before the incident was reported, such as when a particular requirement became applicable, or a document changed, or a bug was introduced, or an audit was done.

Time (UTC) Action
25/09/2020 19:55 Misissuance case #1 regarding ST fields with "Sweden" received on email.
25/09/2020 19:59 SOC request an acknowledgment from Support that they are investigating case #1.
25/09/2020 20:37 Misissuance case #2 regarding ST fields with "Denmark" received on email.
25/09/2020 21:01 SOC request an acknowledgment from Support that they are investigating case #2.
25/09/2020 21:21 Support acknowledges towards SOC they are investigating case #1.
25/09/2020 21:22 Support acknowledges towards SOC they are investigating case #2.
26/09/2020 05:47 Support sends email to Compliance regarding the received misissuance cases.
27/09/2020 19:21 Compliance team starts investigation.
27/09/2020 19:54 Compliance team responds to reporter that they confirm they are aware of the issue, will investigate further and will address the issue described.
28/09/2020 07:24 Compliance team starts investigating the root cause of being unable to respond within 24 hours to the reporter together with Security team who oversee the SOC.
28/09/2020 08:13 Compliance and Security team conclude together with Support team that the Support process for misissuance cases was lacking critical steps, such as immediate escalating to Compliance. Next to this, the SOC process was also lacking, as they only require acknowledgment from Support that they are working on the case, but not an evidence of the response sent to the reporter.
28/09/2020 10:23 Support, SOC and Compliance processes have been updated. Support will now raise misissuance cases to Compliance immediately. Next to this, for all Report-Abuse cases, SOC will request evidence of the (preliminary) report sent to the reporter every 4 hours (with an escalation each time where they expand the group being notified and employ different communication mechanisms) as long as evidence has not been provided yet. If after 20 hours no evidence of (preliminary) report to Reporter has been received, SOC will start contacting the Compliance team by phone.
29/09/2020 04:53 All Report-Abuse processes have been reviewed to ensure they are on par with requirements. The relevant teams have been informed and trainings were updated to reflect this.
29/09/2020 14:00 Compliance team sends another response to reporter regarding the bugzilla tickets that were created for this, that they continue working on revoking the affected certificates and are addressing the root cause.

Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem. A statement that you have will be considered a pledge to the community; a statement that you have not requires an explanation.

N/A

A summary of the problematic certificates. For each problem: number of certs, and the date the first and last certs with that problem were issued.

N/A

The complete certificate data for the problematic certificates. The recommended way to provide this is to ensure each certificate is logged to CT and then list the fingerprints or crt.sh IDs, either in the report or as an attached spreadsheet, with one list per distinct problem.

N/A

Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.

During the last year GlobalSign made several changes to their Report-Abuse processes (refer to https://bugzilla.mozilla.org/show_bug.cgi?id=1524877#c9 and https://bugzilla.mozilla.org/show_bug.cgi?id=1620922#c2), such as integration with the Security Operations Center (SOC) and adding more oversight by the Compliance team.

However, the focus of these changes were report-abuse cases regarding malicious domains and key compromise. Other report-abuse processes were not thoroughly reviewed and the misissuance process was not adequately updated.

Consequently, the Compliance and Security team concluded together with the Support team that the Support process for misissuance cases lacked a critical step, namely the immediate escalation to Compliance.

Next to this, the SOC process was also lacking, as they only require acknowledgment from Support that they are working on the case, but not an evidence of the response sent to the reporter within the 24 hour time-frame.

Because it is not very often we receive misissuance cases from external sources, especially during the weekend, the issue with the misissuance process unfortunately avoided detection until now.

List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.

Support, SOC and Compliance processes have now been updated. Support will now escalate misissuance cases to Compliance immediately.

For all Report-Abuse cases, SOC will request evidence of the (preliminary) report sent to the reporter every 4 hours (with an escalation each time where they expand the group being notified and employ different communication mechanisms) as long as evidence has not been provided yet.

If after 20 hours no evidence of a (preliminary) report to Reporter has been received, SOC will start contacting the Compliance team by phone to ensure they resolve this within the deadline.

All Report-Abuse processes have been reviewed to ensure they are on par with requirements and the above changes. The relevant teams have been informed and trainings were updated to reflect this.

Hi Ben, could you let us know whether more information is required or this ticket can be closed? Thank you.

Flags: needinfo?(bwilson)

I think this issue can be closed, and I'll schedule it for closure on 20-November-2020.

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Whiteboard: [ca-compliance] → [ca-compliance] [disclosure-failure]
You need to log in before you can comment on or make changes to this bug.