Rick, your report [1] states that...
"...the certificates never left Symantec's secure test labs or the
QA test machine, and they were never visible to any end user...
One of these test certificates with a CN=www.google.com was an
Extended Validation (EV) test certificate and was logged to public
Certificate Transparency (CT) log servers"
IIUC, this statement claims that, out of all the certs/precerts listed
in [2], the www.google.com precertificate [3] is the only one that "left
Symantec's secure test labs".
So, when I looked up all of the serial numbers in [2] in crt.sh, I was
surprised to find...
- 2 certs for *.icns.com.au (which you've explained already).
- 2 precertificates, and the corresponding 2 EV certificates, for
evgabrieltest.bbtest.com - see [4].
- an EV cert for symantec-waf01.scutum.jp - see [5].
- an EV cert for 123Symantec.com - see [6].
Also, when I looked for evidence of any of the other certs in [2] in
some of our historical SSL crawler logs, I was surprised to find that...
- the certificate with serial number 14c943, issued by "Equifax
Secure Certificate Authority", was in use when we accessed
https://avodcdn01-a.akamaihd.net on 9th June 2011 (IP address
184.86.230.82) and 25th June 2011 (IP address 95.101.190.82). This
certificate wasn't known to CT until I logged it just now - see [7].
- the certificate with serial number
1962f4d772f9e9c7ef2d09dd40d85a2c, issued by "VeriSign Class 3 Extended
Validation SSL SGC CA", was in use when we accessed
https://remote.tdsolutionscenter.com (IP address 96.243.213.32) on the
8th, 11th, 13th and 22nd January 2013. remote.tdsolutionscenter.com
still resolves to that IP address today. This certificate wasn't known
to CT until I logged it just now - see [8].
I also found a copy of the certificate with serial number 64b32, issued
by "GeoTrust DV SSL CA" (although for some reason I wasn't able to find
a record of where we discovered that cert). This certificate wasn't
known to CT until I logged it just now - see [9].
[1]
https://www-secure.symantec.com/connect/sites/default/files/Test_Certificates_Incident_Final_Report_10_13_2015v3.pdf
[2]
https://www-secure.symantec.com/connect/sites/default/files/TestCertificateIncidentReportOwnedDomains.pdf
[3] https://crt.sh/?id=9314698
[4] https://crt.sh/?q=evgabrieltest%2Ebbtest%2Ecom&iCAID=1454
[5] https://crt.sh/?id=5934504
[6] https://crt.sh/?id=9324337
[7] https://crt.sh/?id=10162388
[8] https://crt.sh/?id=10162533
[9] https://crt.sh/?id=10162537
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
