On Saturday, August 18, 2018 at 2:27:05 PM UTC-7, Ben Laurie wrote: > On Fri, 17 Aug 2018 at 18:22, Daymion Reynolds via dev-security-policy < > [email protected]> wrote: > > > Revoke Disclosure > > > > GoDaddy has been proactively performing self-audits. As part of this > > process, we identified a vulnerability in our code that would allow our > > validation controls to be bypassed. This bug would allow for a Random Value > > that was generated for intended use with Method 3.2.2.4.6 and 3.2.2.4.7 and > > was validated using Method 3.2.2.4.2 by persons who were not confirmed as > > the domain contact. This bug was introduced November 2014 and was leveraged > > to issue a total of 865 certificates. The bug was closed hours after > > identification, and in parallel we started the scope and revocation > > activities. > > > > In accordance with CA/B Forum BR, section 4.9.1.1, all miss-issued > > certificates were revoked within 24 hours of identification. > > > > A timeline of the Events for Revocation are as follows: > > > > 8/13 9:30am – Exploit issue surfaced as possible revocation event. > > 8/13 9:30-4pm – Issue scope identification (at this point it was unknown), > > gathering certificate list > > 8/13 4pm – Certificate list finalized for revoke total 825 certs, Revoke > > notification sent to cert owners. > > > > I presume you mean domain owners? > > Do we know if any of these certs were used? If so, how? > > > > 8/14 1:30pm – All certificates revoked. > > > > Further research identified 40 certificates which contained re-use of > > suspect validation information. > > 8/15 – 2pm – Additional certificates identified due to re-use. > > 8/15 – 2:30pm – Customers notified of pending revoke. > > 8/16 – 12:30pm – All certificated revoked. > > > > We stand ready to answer any questions or concerns. > > Daymion > >
Yes, domain owners. Yes, some of the certs were being used as typical server certs. We have not detected any nefarious activities. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
