About 24 hours ago, this gist was published to Github: https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9
It details two publicly-trusted certificates whose private keys are present in publicly-available Netgear firmware images. One - which appears to remain valid at time of writing - is an OV certificate for "routerlogin.com" and variants, which was issued to Netgear by Entrust, https://crt.sh/?id=1955992027 ===== The other, issued by Sectigo/Comodo for "mini-app.funjsq.com" ( https://crt.sh/?id=615809732 ) seems to have been revoked not long after publishing. Although it has been revoked, I am still personally curious as to how and why Netgear came to be in possession of that latter certificate's private keys in the first place. If funjsq knowingly provided it to Netgear, a closer look at other funjsq-related certificates might be in order. (And if they did not, obviously, there was a deeper and more serious failure somewhere.) There are a number of certificates issued for funjsq.com subdomains, from a few different CAs: https://crt.sh/?q=funjsq.com One certificate, although it is expired, piqued my interest when I first saw it: https://crt.sh/?id=325345427 for "asus-plugin.funjsq.com". This subdomain is apparently active, though it is presently served using funjsq's wildcard cert. -NK _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
