> From: Gervase Markham [mailto:g...@mozilla.org]
> Sent: Thursday, January 12, 2017 3:07 AM
> To: Wayne Thayer <wtha...@godaddy.com>; mozilla-dev-security-
> pol...@lists.mozilla.org
> Subject: Re: Incident Report – Certificates issued without proper domain
> validation
>
> Hi Wayne,
>
> Thanks for these prompt and detailed responses.
>
> On 12/01/17 00:27, Wayne Thayer wrote:
> > Our initial response as reported yesterday was to fix the bug
> > introduced in July. Based on internal discussions and comments here,
> > as of 12 midnight PST last night (1/11) we stopped using this method
> > of file based domain control validation.
>
> That seems like an excellent idea, at least until you can alter the system to
> make it so that the random value is not part of the URL requested.
>
> > As soon as we learned of this issue, we went through every certificate
> > that was validated with the HTML method utilized during this period
> > and attempted to verify. If it could not be immediately verified, we
> > revoked the certificate.
>
> That seems like an excellent process.
>
> > When we learned of this issue, we re-validated every affected
> > certificate. If we were unable to properly validate, we revoked the
> > certificate. That is how we got the total of 8,951 revoked
> > certificates.
>
> Are you able to say how many certificates were successfully revalidated?
>
Approximately 7500. In addition, as of earlier today, new certificates that
cover over 50% of the CNs in the set of revoked certs have successfully gone
through our domain validation process.
>
> > As soon as we discovered the bug, we ran a report to identify every
> > certificate that didn’t fail the domain validation check during the
> > period the bug was active. We then started scanning websites to see
> > which ones were able to re-pass the proper validation check. If they
> > passed, we removed the certificate from the list. If we were unable to
> > revalidate the certificate, we revoked it. If there was any question
> > if the certificate was properly verified, we revoked it.
>
> So you re-validated pretty much everything? Wow. That must be a lot of
> sites.
>
> Not a requirement or a command, but it may be wise to improve your
> logging, because if you had stored the website's response and status code
> verbatim, you would not have needed to revalidate as many certificates
> (because you could have skipped those that responded "200"
> first time), and may have been able to revoke far fewer.
>
Clearly this is good advice, thank you.
>
> Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
