On 15/12/16 02:46, Tavis Ormandy wrote:
Hello, while working on an unrelated problem, I happened to notice that this
<https://crt.sh/?id=30316154> leaf certificate for DNS:test.wgh.cn and DNS:
test.ydn.cn has the same RSA public key as this trusted root
<https://crt.sh/?id=9329287> (and a few others).
test.wgh.cn no longer resolves, but wgh.cn is the personal blog of a WoSign
employee.
Is it possible key material was accidentally used in a web server and
removed from a HSM? Maybe there's another explanation, but if there was an
accident, I assume the root would need to be revoked.
I'm having trouble finding any observatory/census logs from this time
period to check, can anyone help?
Hi Tavis.
There are lots of links here: https://scans.io/
I took a brief look at https://scans.io/study/sonar.ssl and did not find
the SHA-1 hash of the test.wgh.cn cert (https://crt.sh/?id=30316154) in
either of the two logs dated soonest after that cert's notBefore date:
https://scans.io/data/rapid7/sonar.ssl/20150209/20150209_hosts.gz
https://scans.io/data/rapid7/sonar.ssl/20150216/20150216_hosts.gz
That cert has been revoked, but the (presumably backdated) revocation
date in the CRL matches the cert's notBefore date:
Serial Number: 6E58BF31CFAD4AB20071C26EA9662DA5
Revocation Date: Feb 4 06:47:22 2015 GMT
BTW, https://crt.sh/?id=9329287 (360 EV Server CA G2) is an intermediate
certificate, not a trusted root.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
