Add unauthorized google.lk certificate to OneCRL
Categories
(Core :: Security Block-lists, Allow-lists, and other State, task)
Tracking
()
People
(Reporter: kathleen.a.wilson, Unassigned)
Details
(Keywords: sec-other, Whiteboard: [ca-onecrl] )
Please add the https://crt.sh/?id=4037732415 cert to OneCRL.
Background provided by Google via email that I received today:
We've become aware of an issue with the Sri Lankan ccTLD registry,
http://www.nic.lk/ , which has resulted in an unauthorized certificate
being issued for google.lkThe unauthorized certificate is available at https://crt.sh/?id=4037732415 ,
with the SHA-256 fingerprint
91018fcd3e0dc73f48d011a123f604d846d66821c58304474f949d7449dd600a and is attached.We have notified Sectigo of this certificate not being authorized, and are
notifying other browser vendors to ensure this certificate is revoked
(e.g. via CRLSet, Mozilla OneCRL, Apple Valid, etc), in the event this requires
manual action.
|
Reporter | |
Comment 1•3 years ago
|
||
Looks like Google did: "Revoked [by SHA-256(SubjectPublicKeyInfo)]", so we should do the same.
|
|
Reporter | |
Comment 2•3 years ago
|
||
Dana added it to Kinto Staging, and I reviewed/approved it at Staging. Ready for testing.
Since we don't have a live server to test against, we verified that staging has published what we've expected it to publish, which is:
{
'details': {
'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1691227',
'who': 'dkeeler@mozilla.com',
'why': 'unauthorized issuance',
'name': 'unauthorized google.lk certificate',
'created': '2021-02-07T00:09:20Z'
},
'enabled': True,
'subject': 'MBQxEjAQBgNVBAMTCWdvb2dsZS5saw==',
'pubKeyHash': 'FeeuQMxLP3Iipab+Pn3Ef25G7poiUYOdspbWKtoqDfc='
}
(and there are no other changes)
Ready for review on prod. onecrl-entry-checker says:
[17:41:13] Stage-Stage: 1307 Stage-Preview: 1307 Stage-Published: 1307 compare.py:67
[17:41:14] Prod-Stage: 1307 Prod-Preview: 1307 Prod-Published: 1306 compare.py:75
Verifying stage against preview compare.py:82
[17:41:15] stage/security-state-staging (1307) and stage/security-state-preview (1307) are equivalent compare.py:87
stage/security-state-staging (1307) and prod/security-state-staging (1307) are equivalent compare.py:87
stage/security-state-staging (1307) and prod/security-state-preview (1307) are equivalent compare.py:87
stage/security-state-preview (1307) and prod/security-state-staging (1307) are equivalent compare.py:87
stage/security-state-preview (1307) and prod/security-state-preview (1307) are equivalent compare.py:87
prod/security-state-staging (1307) and prod/security-state-preview (1307) are equivalent compare.py:87
No changes are waiting in staging compare.py:90
There are 1 changes waiting in production. Adding: compare.py:99
{
'details': {
'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1691227',
'who': 'dkeeler@mozilla.com',
'why': 'unauthorized issuance',
'name': 'unauthorized google.lk certificate',
'created': '2021-02-07T00:09:20Z'
},
'enabled': True,
'subject': 'MBQxEjAQBgNVBAMTCWdvb2dsZS5saw==',
'pubKeyHash': 'FeeuQMxLP3Iipab+Pn3Ef25G7poiUYOdspbWKtoqDfc='
}
Staging is updated, and production changes are waiting, so Firefox can use compare.py:110
Remote Settings DevTools (https://github.com/mozilla-extensions/remote-settings-devtools)
and cert-storage-inspector (https://github.com/mozkeeler/cert-storage-inspector) to test
OneCRL.
|
|
Reporter | |
Comment 5•3 years ago
|
||
Approved at Kinto Production.
|
|
Reporter | |
Comment 6•3 years ago
|
||
Verified in OneCRL in my Firefox profile.
|
|
Reporter | |
Comment 7•3 years ago
|
||
The registry published a notice on their website, http://www.nic.lk/ so this information is public.
|
||
Updated•3 years ago
|
Description
•