Thank you for writing this up. Do any of the other CAs with trusted server certificates intend to publish similar reports? (Based on CT logs that'd be Comodo, Symantec, and GlobalSign).
Alex On Tue, Oct 24, 2017 at 12:28 PM, Daymion Reynolds via dev-security-policy < [email protected]> wrote: > Godaddy LLC first became aware of possible ROCA vulnerability exposure on > Monday October 16th 2017 at 9:30am. The following are the steps we took for > detection, revocation, and the permanent fix of certificate provisioning: > > • Monday October 16th 2017 AZ, first became aware of the ROCA > vulnerability. We downloaded and modified the open source detection tool > to audit 100% of the non-revoked and non-expired certs we had issued. > • Early am Wednesday October 18th AZ we had our complete list of 7 > certs with the ROCA defect. We verified the results and proceeded to start > the revocation process. While cert revocation was in progress we started > researching the long-term detection and prevention of the weak CSR > vulnerability. > • Early am Wednesday October 18th Rob Stradling released a list of > certs with the vulnerability. 2/7 we revoked were on the list. > https://misissued.com/batch/28/ > • Thursday October 19th by 2:02am AZ, we completed the 7 cert > revocations. Revocations included customer outreach to advise the customer > of the vulnerability. > • Thursday October 19th AZ, two CSRs were submitted for commonNames “ > scada2.emsglobal.net” & “scada.emsglobal.net” and were issued. Each > request had used the vulnerable keys for CSR generation. We revoked the > certs again on Thursday October 19th AZ. During this period, we reached out > to the customer to educate them regarding the vulnerability and informing > them they needed to generate a new keypair from an unimpacted device. > Customer was unreachable. Friday October 20thAZ, another cert was issued > for commonName “scada.emsglobal.net” using a CSR generated with a weak > key. We then took measures to prevent future certs from being issued to the > same common name and revoked the cert on October 20th 2017 AZ. > commonName crt.sh-link > scada.emsglobal.net https://crt.sh/?id=3084867 > > scada.emsglobal.net https://crt.sh/?id=238721704 > > scada.emsglobal.net https://crt.sh/?id=238721807 > > scada2.emsglobal.net https://crt.sh/?id=238720969 > > scada2.emsglobal.net https://crt.sh/?id=238721559 > > • Saturday October 21st 2017 AZ & Sunday October 22nd 2017 AZ, we > scanned our cert store and identified 0 vulnerable certs. > • Monday October 23, 2017 AZ, we have deployed a permanent fix to > prevent future CSRs generated using weak keys from being submitted. Post > scanning of the environment concluded 0 certificates at risk. > > Below is a complete list of certs under GoDaddy management impacted by > this vulnerability. > > Alias crt.sh-link > alarms.realtimeautomation.net https://crt.sh/?id=33966207 > > scada.emsglobal.net https://crt.sh/?id=3084867 > https://crt.sh/?id=238721704 > https://crt.sh/?id=238721807 > > www.essicorp-scada.com https://crt.sh/?id=238720405 > > marlboro.bonavistaenergy.com https://crt.sh/?id=238720743 > > scada2.emsglobal.net https://crt.sh/?id=238720969 > https://crt.sh/?id=238721559 > > www.jointboardclearscada.com https://crt.sh/?id=238721242 > > *.forgenergy.com https://crt.sh/?id=238721435 > > > Regards, > Daymion Reynolds > GoDaddy PKI > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
