Closed Bug 1691227 Opened 10 months ago Closed 10 months ago

Add unauthorized google.lk certificate to OneCRL

Categories

(Core :: Security Block-lists, Allow-lists, and other State, task)

task

Tracking

()

RESOLVED FIXED

People

(Reporter: kwilson, Unassigned)

Details

(Keywords: sec-other, Whiteboard: [ca-onecrl] )

Please add the https://crt.sh/?id=4037732415 cert to OneCRL.

Background provided by Google via email that I received today:

We've become aware of an issue with the Sri Lankan ccTLD registry,
http://www.nic.lk/ , which has resulted in an unauthorized certificate
being issued for google.lk

The unauthorized certificate is available at https://crt.sh/?id=4037732415 ,
with the SHA-256 fingerprint
91018fcd3e0dc73f48d011a123f604d846d66821c58304474f949d7449dd600a and is attached.

We have notified Sectigo of this certificate not being authorized, and are
notifying other browser vendors to ensure this certificate is revoked
(e.g. via CRLSet, Mozilla OneCRL, Apple Valid, etc), in the event this requires
manual action.

Looks like Google did: "Revoked [by SHA-256(SubjectPublicKeyInfo)]", so we should do the same.

Dana added it to Kinto Staging, and I reviewed/approved it at Staging. Ready for testing.

Since we don't have a live server to test against, we verified that staging has published what we've expected it to publish, which is:

{
    'details': {
        'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1691227',
        'who': 'dkeeler@mozilla.com',
        'why': 'unauthorized issuance',
        'name': 'unauthorized google.lk certificate',
        'created': '2021-02-07T00:09:20Z'
    },
    'enabled': True,
    'subject': 'MBQxEjAQBgNVBAMTCWdvb2dsZS5saw==',
    'pubKeyHash': 'FeeuQMxLP3Iipab+Pn3Ef25G7poiUYOdspbWKtoqDfc='
}

(and there are no other changes)

Ready for review on prod. onecrl-entry-checker says:

[17:41:13] Stage-Stage: 1307 Stage-Preview: 1307 Stage-Published: 1307                                                                                                                         compare.py:67
[17:41:14] Prod-Stage: 1307 Prod-Preview: 1307 Prod-Published: 1306                                                                                                                            compare.py:75
           Verifying stage against preview                                                                                                                                                     compare.py:82
[17:41:15] stage/security-state-staging (1307) and stage/security-state-preview (1307) are equivalent                                                                                          compare.py:87
           stage/security-state-staging (1307) and prod/security-state-staging (1307) are equivalent                                                                                           compare.py:87
           stage/security-state-staging (1307) and prod/security-state-preview (1307) are equivalent                                                                                           compare.py:87
           stage/security-state-preview (1307) and prod/security-state-staging (1307) are equivalent                                                                                           compare.py:87
           stage/security-state-preview (1307) and prod/security-state-preview (1307) are equivalent                                                                                           compare.py:87
           prod/security-state-staging (1307) and prod/security-state-preview (1307) are equivalent                                                                                            compare.py:87
           No changes are waiting in staging                                                                                                                                                   compare.py:90
           There are 1 changes waiting in production. Adding:                                                                                                                                  compare.py:99
{
    'details': {
        'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1691227',
        'who': 'dkeeler@mozilla.com',
        'why': 'unauthorized issuance',
        'name': 'unauthorized google.lk certificate',
        'created': '2021-02-07T00:09:20Z'
    },
    'enabled': True,
    'subject': 'MBQxEjAQBgNVBAMTCWdvb2dsZS5saw==',
    'pubKeyHash': 'FeeuQMxLP3Iipab+Pn3Ef25G7poiUYOdspbWKtoqDfc='
}
           Staging is updated, and production changes are waiting, so Firefox can use                                                                                                         compare.py:110
           Remote Settings DevTools (https://github.com/mozilla-extensions/remote-settings-devtools)                                                                                                        
           and cert-storage-inspector (https://github.com/mozkeeler/cert-storage-inspector) to test                                                                                                         
           OneCRL.                                                                                              

Approved at Kinto Production.

Verified in OneCRL in my Firefox profile.

Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED

The registry published a notice on their website, http://www.nic.lk/ so this information is public.

Group: core-security
You need to log in before you can comment on or make changes to this bug.