The listed Symantec certificates were issued by one of our WebTrust audited partners. We have reduced this partner's privileges to restrict further issuance while we review this matter. We revoked all reported certificates which were still valid that had not previously been revoked within the 24 hour CA/B Forum guideline - these certificates each had "O=test". Our investigation is continuing.
> -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+steve_medin=symantec....@lists.mozilla.org] On Behalf Of > Andrew Ayer > Sent: Thursday, January 19, 2017 4:46 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Misissued/Suspicious Symantec Certificates > > I. Misissued certificates for example.com > > On 2016-07-14, Symantec misissued the following certificates for > example.com: > > https://clicktime.symantec.com/a/1/LyhH99FiQBwyOqKcts8QGJ75k6 > TPEC_N7jOPRSjGhkA=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3DA8F14F52CC1282D7153A13316E7DA39E6AE37B1A10C16288B902 > 4A9B9DC3C4C6 > https://clicktime.symantec.com/a/1/_X1- > P9bvSq0r_QG43YQ6BwhHeeRl4IrY8ebwWh9HWiQ=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3D8B5956C57FDCF720B6907A4B1BC8CA2E46CD90EAD5C061A426C > F48A6117BFBFA > https://clicktime.symantec.com/a/1/1ux2sxPZpTNuRjN4JV5qOj0550 > RDi16i7NLrqi0eFaY=?d=6VMu_T-sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3D94482136A1400BC3A1136FECA3E79D4D200E03DD20B245D19F0E > 78B5679EAF48 > https://clicktime.symantec.com/a/1/YT02EQBzJ13G0VwF_VLruHbKA > Ep4LXe40icNc0DLwUA=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3DC69AB04C1B20E6FC7861C67476CADDA1DAE7A8DCF6E23E15311 > C2D2794BFCD11 > > I confirmed with ICANN, the owner of example.com, that they did not > authorize these certificates. These certificates were already revoked at the > time I found them. > > > II. Suspicious certificates for domains containing the word "test" > > On 2016-11-15 and 2016-10-26, Symantec issued certificates for various > domains containing the word "test" which I strongly suspect were > misissued: > > https://clicktime.symantec.com/a/1/_0lsjfT3DHqxu1QJl2eBU5zx948r > qJmGy-bHkTlww3c=?d=6VMu_T-sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3Db81f339b971eb763cfc686adbac5c164b89ad03f8afb55da9604fd0 > d416bbd21 > https://clicktime.symantec.com/a/1/uF90PPzN7N3_lTMmPb8YzXKK > AfWPKKNmpvo_prjlE3Y=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3Df45d090e1bf24738a8e86734aa7acf7c9e65b619eb19660b1f73c99 > 73f11b841 > https://clicktime.symantec.com/a/1/ezbB2-8KqYUHyXjQx5B- > Vwf6tJJiGin6RaC_rwMyM7Y=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3Dbcbc26c9e06c4fe1c9e4d55fa27a501c504ea84e23e114b8ac004f7 > c0776cd0b > https://clicktime.symantec.com/a/1/DvhFK5KhEvCMzdYbMfWcMszP > yUmwumBtBw7KULICQNk=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3Df0935ce297419cc148bde49a7a123f2b2419cdd52df8e7f49e7bba0 > 7fe872559 > https://clicktime.symantec.com/a/1/bVc- > 6BOqerbwbrXUNbJu8pE6Vy80A5iky_MQqAMWgaA=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3D3601ab49034e69d6e2137a80e511a0640252f444b75d6baca7bf46 > 72c35652a5 > > I have not attempted to contact the owners of these domains for > confirmation, as doing so is probably not feasible (many of the domains are > owned by squatters). However, the following facts lead to me to believe > that these certificates were misissued: > > 1. The subject DNs contain clearly bogus values, such as: > > C=KR, ST=1, L=1, O=12, OU=1 > C=KR, ST=1, L=1, O=1, OU=1 > C=KR, ST=1, L=1, O=12, OU=1 > C=KR, ST=Test1, L=Test, O=Test > > Note that the misissued example.com certificates also contain C=KR in their > subjects. > > 2. The third certificate in the list above contains a SAN for > DNS:*.crosscert.com - note that three of the misissued example.com > certificates contain "Crosscert" in their Subject Organization. > > 3. None of these certificates have been observed in the wild by Censys. > The live certificate for www.test.com was issued by Network Solutions. > > 4. The first two certificates in the list above both contain DNS SANs for *all* > of the following domains: > > test.com > test1.com > test2.com > test3.com > test4.com > test5.com > test6.com > test7.com > test8.com > test9.com > test11.com > > With the exception of test4.com and test8.com, these domains are > registered to different entities and appear to be wholly unrelated with one > another in both ownership and operation. It is unlikely that the owners of > these domains would collaborate to authorize these certificates. > > These certificates were already revoked at the time I found them. > > > III. Certificates with O=Test > > Finally, Symantec has issued a large number of certificates with the following > attributes in the Subject: > > C=KR, ST=test, L=test, O=test, OU=test > > e.g.: > > https://clicktime.symantec.com/a/1/uZoiIkm1yJ- > wqrsj50BAsLnMXK8PZ3NxcouYQEZu9FQ=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3D09AECE5B94BBB8A9EE2152FA6FB7261630124918DA015EB35715 > 08EF6D31DD30 > https://clicktime.symantec.com/a/1/s2LLW3OI_Iy8EHFssVpBCwNmh > ZYy1Fj3Jzz9JIZSFpQ=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3DCC0A2AE0EF5B1A6CF242D7B4C77AC9F05B49494B42C8486B4780 > 4874734CFC1C > https://clicktime.symantec.com/a/1/A3K4rj0hMWJHEL8Gwbg3A3_fK > cWxBCrko0KsDdX3jPw=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3DF177AC0064167354025CE12B3914A0E056628DD31152B5DF22E41 > 913FC9D9B45 > https://clicktime.symantec.com/a/1/8BpzYG4IsDaFzKnBM5ZFLCABF6 > 94TPWDHnQRABD_Yps=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3Fsha256%3DDA7B1D433C071DA7A389EE2A4CAB854B89E441277B41E608F05F > B7C7C6B2A761 > > For more, see: > > https://clicktime.symantec.com/a/1/_sbN9qKZDejSAj1U7evxJlBm83 > RyY17fLL1MikfsplM=?d=6VMu_T- > sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx- > S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7 > mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw- > s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA- > 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG > oYn8PQTT6koyyBuC- > 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW- > AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw- > p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3 > NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D&u=https%3A%2F%2Fcrt.sh%2F% > 3FO%3Dtest > > I doubt there is an organization named "test" located in "test, Korea." > > Regards, > Andrew > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
