I wanted to send out a status of where we are on the ROCA vulnerable certificates issued by GlobalSign. A full report will be coming later this week once we've completed the revocations, but here is a summary of the scope and status as it stands right now.
Here's the Timeline: 10/16: Became aware of the ROCA issue via a post to mdsp list. 10/17-18: Created and ran a report over all active SSL certificates in our database that showed there were 53 vulnerable SSL certificates. They are all from one customer and they are all under the ".apsch.by" domain. 10/18: Received link with a list of 35 GlobalSign issued SSL certificates, all of which were on our report, https://misissued.com/batch/28/ 10/19: Customer was contacted and we let them know about the issue. These are used within a Tolling system which, if revoked, would result in substantial disruption of commercial services. They immediately initiated process to get them replaced; however, due to the location of the devices and the need to generate the keys using a new process (which is not vulnerable), they need approximately 2 weeks to perform the replacement. They have firm plans to complete this by November 3rd. We're prioritizing the fix to prohibit issuance of additional SSL certificate with this vulnerability and in the meantime we're running the report every few days to verify no new certificates were issued with this vulnerability. We'll complete the full report as soon as we perform the revocations. Doug _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
