Hi Hanno, Hanno Böck, on 04 October 2016 13:34, said.. > There seem to be more certificates of that kind that weren't mentioned > in the incident report. Here's a .re / www.re certificate (expired > 2015): > https://crt.sh/?id=4467456 > > Has comodo checked its systems for other certificates of that kind? Can > you provide a full list of all such certificates? >
Yes, we have. The initial check was for certificates issued on or after Nov 1st 2015, that being the date when internal server names were finally outlawed. In certificates issued before that date dNSName=sb could arguably be considered an internal server name (given that https://sb/ isn't supposed to resolve on the public Internet). At any rate, in the interests of getting the incident report out, it was simpler to only go back as far as Nov 1st 2015 so that we didn't have to consider internal server names at all. We took another pass through the data looking for all server authentication certificates where we included DOMAIN, and for which DOMAIN is also included in the PSL or is a TLD, but where we validated (something).DOMAIN instead of DOMAIN. This should produce a superset of all certificates that exhibit this problem. In each case, the (something) was 'www'. Going back to 2011, which was when we started checking the PSL in addition to a (then) fixed list of TLDs, we find the following certificates: Issued PSL section State 25/07/2011 k12.wa.us ICANN expired 25/07/2011 k12.wa.us ICANN expired 12/11/2011 re ICANN expired 10/12/2012 gov.uk ICANN expired 02/05/2013 fredrikstad.no ICANN expired 10/06/2013 k12.wa.us ICANN expired 02/08/2013 ks.ua ICANN expired 30/06/2014 re ICANN expired 28/08/2014 iki.fi PRIVATE Valid (still live on https://iki.fi) 17/06/2015 gov.lk ICANN expired 20/09/2015 net.kg ICANN expired Plus these ones which were already discussed: 26/11/2015 rivne.ua ICANN 03/08/2016 tc ICANN 03/08/2016 tc ICANN 03/08/2016 tc ICANN 21/09/2016 sb ICANN Plus three more certificates which turned out to be on the private section of the PSL now, but were not in the PSL when we issued the certificates. > > Also my understanding is that the error here was that control over the > www.[domain] subdomain would indicate control over [domain]. Does that > mean that this bug could've been used to also get wildcard certificates > in the form of *.[tld]? No. Regardless of other controls, the nature of this bug was that it only affected cases where a customer requested www.DOMAIN, because that was the case in which we also added DOMAIN into the SAN. No certificates were issued for *.[tld] Regards Robin Alden Comodo _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
