As far as I know, GeoTrust is not at fault here. They just signed this (domain validated) certificate, and I don't know if they've been notified of it before. That said, I don't have GeoTrust's contact info, and I'm presuming that someone here does.
Information here comes from http://blog.sec-consult.com/2016/09/house-of-keys-9-months-later-40-worse.html . The private key for this certificate was published by SEC Consult (a Singaporean company) in a public github repo that documents static TLS keys in embedded device firmware, located at https://github.com/sec-consult/houseofkeys/ . Aruba is the OEM for various Alcatel-Lucent OmniAccess firmware. They embedded a certificate (trusted by GeoTrust) and its private key into the firmware for more than 10 different models of OmniAccess. This certificate is in CT logs, and is currently valid until August 11, 2017. Issuer is OU "C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA". Subject is "serialNumber=lLUge2fRPkWcJe7boLSVdsKOFK8wv3MF, C=US, O=securelogin.arubanetworks.com, OU=GT28470348, OU=See www.geotrust.com/resources/cps (c)11, OU=Domain Control Validated - QuickSSL(R) Premium, CN=securelogin.arubanetworks.com". Serial number is 121426. The certificate (and the usual information about it) can be found at https://censys.io/certificates/47fa89956f2aa349e8814b21a7bbd64c9b597f0f192bfe073559945a7a846534 . The private key for the certificate can be found at https://github.com/sec-consult/houseofkeys/blob/master/certificates/47fa89956f2aa349e8814b21a7bbd64c9b597f0f192bfe073559945a7a846534.key or by pulling the aforementioned github repo. Aruba chose not to notify GeoTrust that it needed to be revoked due to compromised private key. I am notifying because I believe it violates the Basic Requirements for someone other than the identified subject to possess the private key for a publicly-trusted certificate. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
