I. Misissued certificates for example.com On 2016-07-14, Symantec misissued the following certificates for example.com:
https://crt.sh/?sha256=A8F14F52CC1282D7153A13316E7DA39E6AE37B1A10C16288B9024A9B9DC3C4C6 https://crt.sh/?sha256=8B5956C57FDCF720B6907A4B1BC8CA2E46CD90EAD5C061A426CF48A6117BFBFA https://crt.sh/?sha256=94482136A1400BC3A1136FECA3E79D4D200E03DD20B245D19F0E78B5679EAF48 https://crt.sh/?sha256=C69AB04C1B20E6FC7861C67476CADDA1DAE7A8DCF6E23E15311C2D2794BFCD11 I confirmed with ICANN, the owner of example.com, that they did not authorize these certificates. These certificates were already revoked at the time I found them. II. Suspicious certificates for domains containing the word "test" On 2016-11-15 and 2016-10-26, Symantec issued certificates for various domains containing the word "test" which I strongly suspect were misissued: https://crt.sh/?sha256=b81f339b971eb763cfc686adbac5c164b89ad03f8afb55da9604fd0d416bbd21 https://crt.sh/?sha256=f45d090e1bf24738a8e86734aa7acf7c9e65b619eb19660b1f73c9973f11b841 https://crt.sh/?sha256=bcbc26c9e06c4fe1c9e4d55fa27a501c504ea84e23e114b8ac004f7c0776cd0b https://crt.sh/?sha256=f0935ce297419cc148bde49a7a123f2b2419cdd52df8e7f49e7bba07fe872559 https://crt.sh/?sha256=3601ab49034e69d6e2137a80e511a0640252f444b75d6baca7bf4672c35652a5 I have not attempted to contact the owners of these domains for confirmation, as doing so is probably not feasible (many of the domains are owned by squatters). However, the following facts lead to me to believe that these certificates were misissued: 1. The subject DNs contain clearly bogus values, such as: C=KR, ST=1, L=1, O=12, OU=1 C=KR, ST=1, L=1, O=1, OU=1 C=KR, ST=1, L=1, O=12, OU=1 C=KR, ST=Test1, L=Test, O=Test Note that the misissued example.com certificates also contain C=KR in their subjects. 2. The third certificate in the list above contains a SAN for DNS:*.crosscert.com - note that three of the misissued example.com certificates contain "Crosscert" in their Subject Organization. 3. None of these certificates have been observed in the wild by Censys. The live certificate for www.test.com was issued by Network Solutions. 4. The first two certificates in the list above both contain DNS SANs for *all* of the following domains: test.com test1.com test2.com test3.com test4.com test5.com test6.com test7.com test8.com test9.com test11.com With the exception of test4.com and test8.com, these domains are registered to different entities and appear to be wholly unrelated with one another in both ownership and operation. It is unlikely that the owners of these domains would collaborate to authorize these certificates. These certificates were already revoked at the time I found them. III. Certificates with O=Test Finally, Symantec has issued a large number of certificates with the following attributes in the Subject: C=KR, ST=test, L=test, O=test, OU=test e.g.: https://crt.sh/?sha256=09AECE5B94BBB8A9EE2152FA6FB7261630124918DA015EB3571508EF6D31DD30 https://crt.sh/?sha256=CC0A2AE0EF5B1A6CF242D7B4C77AC9F05B49494B42C8486B47804874734CFC1C https://crt.sh/?sha256=F177AC0064167354025CE12B3914A0E056628DD31152B5DF22E41913FC9D9B45 https://crt.sh/?sha256=DA7B1D433C071DA7A389EE2A4CAB854B89E441277B41E608F05FB7C7C6B2A761 For more, see: https://crt.sh/?O=test I doubt there is an organization named "test" located in "test, Korea." Regards, Andrew _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy