On Monday, August 20, 2018 at 10:40:15 AM UTC-7, Wayne Thayer wrote: > Thank you for the disclosure Daymion. I have created bug 1484766 to track > this issue. I've requested an incident report to help the community better > understand what happened and what can and is being done to prevent similar > problems in the future, as described in the last two topics [1]: > > 6. Explanation about how and why the mistakes were made or bugs introduced, > and how they avoided detection until now. > 7. List of steps your CA is taking to resolve the situation and ensure such > issuance will not be repeated in the future, accompanied with a timeline of > when your CA expects to accomplish these things. > > - Wayne > > [1] https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report > > On Mon, Aug 20, 2018 at 9:26 AM Daymion Reynolds via dev-security-policy < > [email protected]> wrote: > > > On Saturday, August 18, 2018 at 2:27:05 PM UTC-7, Ben Laurie wrote: > > > On Fri, 17 Aug 2018 at 18:22, Daymion Reynolds via dev-security-policy < > > > [email protected]> wrote: > > > > > > > Revoke Disclosure > > > > > > > > GoDaddy has been proactively performing self-audits. As part of this > > > > process, we identified a vulnerability in our code that would allow our > > > > validation controls to be bypassed. This bug would allow for a Random > > Value > > > > that was generated for intended use with Method 3.2.2.4.6 and > > 3.2.2.4.7 and > > > > was validated using Method 3.2.2.4.2 by persons who were not confirmed > > as > > > > the domain contact. This bug was introduced November 2014 and was > > leveraged > > > > to issue a total of 865 certificates. The bug was closed hours after > > > > identification, and in parallel we started the scope and revocation > > > > activities. > > > > > > > > In accordance with CA/B Forum BR, section 4.9.1.1, all miss-issued > > > > certificates were revoked within 24 hours of identification. > > > > > > > > A timeline of the Events for Revocation are as follows: > > > > > > > > 8/13 9:30am – Exploit issue surfaced as possible revocation event. > > > > 8/13 9:30-4pm – Issue scope identification (at this point it was > > unknown), > > > > gathering certificate list > > > > 8/13 4pm – Certificate list finalized for revoke total 825 certs, > > Revoke > > > > notification sent to cert owners. > > > > > > > > > > I presume you mean domain owners? > > > > > > Do we know if any of these certs were used? If so, how? > > > > > > > > > > 8/14 1:30pm – All certificates revoked. > > > > > > > > Further research identified 40 certificates which contained re-use of > > > > suspect validation information. > > > > 8/15 – 2pm – Additional certificates identified due to re-use. > > > > 8/15 – 2:30pm – Customers notified of pending revoke. > > > > 8/16 – 12:30pm – All certificated revoked. > > > > > > > > We stand ready to answer any questions or concerns. > > > > Daymion > > > > > > > > Yes, domain owners. > > > > Yes, some of the certs were being used as typical server certs. We have > > not detected any nefarious activities. > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > >
Wayne, I have found the bug. Will add information to it soon. -Daymion _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
