I checked the certificate that it is a client certificate issued the personal -- PANG Ming Sum: CN = PANG Ming Sum E = todd.p...@autotoll.com.hk OU = AUTOTOLL LIMITED OU = 215063380000215100635386 OU = 0001890584 O = Hongkong Post e-Cert (Organisational) C = HK
The problem is this certificate don't have EKU to limit to Client certificate, so he/she can use it in website as SSL certificate! And the another problem is this subscriber is not an employee of " Hongkong Post e-Cert (Organisational)", why its certificate subject O filed use this Hong Kong Post name. Regards, Richard -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On Behalf Of ma...@certizen.com Sent: Wednesday, August 17, 2016 1:23 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Hongkong Post recently issued SHA1 cert that could be used in TLS On Wednesday, August 17, 2016 at 2:53:24 AM UTC+8, Kathleen Wilson wrote: > All, > > It has come to our attention that Hongkong Post has recently issued a > SHA1 cert that can be used in TLS/SSL. > > https://bugzilla.mozilla.org/show_bug.cgi?id=1267332#c3 > > The certificate was signed by the "Hongkong Post e-Cert CA 1 - 10" > intermediate certificate. > > From the CA: "This certificate is issued to a person, instead of a > server, as you've seen that it does not contain any DNS name. > "Hongkong Post e-Cert CA 1 - 10" will continue issue client > certificates to individuals, although it has been stopped issuing SSL > server certificates since 1 January 2016. > > Our understanding: "The real problem here is that the issuing > certificate is using sha-1 with predictable serial numbers. ... If a > chosen-prefix attack on sha-1 were discovered... an attacker could use > this CA to obtain a certificate for a domain that isn't theirs." > > We are looking into this, and as always will greatly appreciate data > that folks have that will aid in assessing this situation. > > Thanks, > Kathleen We have already stopped issuing SHA-1 SSL certificates under "Hongkong Post e-Cert CA 1 - 10" since 1 January 2016, and have been issuing SHA-256 SSL certificates under "Hongkong Post e-Cert CA 1- 14" and "Hongkong Post e-Cert CA 1 - 15" respectively (https://bugzilla.mozilla.org/show_bug.cgi?id=1267332#c2). This certificate is a client certificate issued to a person for private use such as digital signature and encryption of electronic messages, but not for SSL server communication. We are contacting the subscriber to confirm why and how he/she uses that certificate in a server of https://gps.autotoll-gps.com.hk. Once we confirmed that he/she mis-used the certificate, we will revoke this certificate. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy