On Fri, 28 Feb 2020 21:50:47 -0800 (PST) Jacob Hoffman-Andrews via dev-security-policy <[email protected]> wrote:
> Also posted to https://bugzilla.mozilla.org/show_bug.cgi?id=1619047 Hi Jacob, was there a reason not to use the ordinary incident reporting format ? This is pretty good for ensuring you cover all the questions we're otherwise likely to ask anyway. > On 2020-02-29 UTC, Let’s Encrypt found a bug in our CAA code. Our CA > software, Boulder, checks for CAA records at the same time it > validates a subscriber’s control of a domain name. Most subscribers > issue a certificate immediately after domain control validation, but > we consider a validation good for 30 days. That means in some cases > we need to check CAA records a second time, just before issuance. > Specifically, we have to check CAA within 8 hours prior to issuance > (per BRs §3.2.2.8), so any domain name that was validated more than 8 > hours ago requires rechecking. For example "found a bug" _probably_ means that programmers in the course of their ordinary work realised there was a logical error in the Boulder software, but people might also use it to describe figuring out the cause of problems reported to them by a third party, which has different implications for security. The usual "How did you learn of this incident?" question ensure a clear answer. > The bug: when a certificate request contained N domain names that > needed CAA rechecking, Boulder would pick one domain name and check > it N times. What this means in practice is that if a subscriber > validated a domain name at time X, and the CAA records for that > domain at time X allowed Let’s Encrypt issuance, that subscriber > would be able to issue a certificate containing that domain name > until X+30 days, even if someone later installed CAA records on that > domain name that prohibit issuance by Let’s Encrypt. It seems unlikely that in practice this bug has inconvenienced a subscriber, let alone enabled adversaries to actually get miss-issued certificates - but given Let's Encrypt operates a self-help forum for users it may be worth spending a few minutes searching for related problems in those forums once the timespan involved is clear to see if any of your users reported symptoms from this bug that were missed. If it's not very difficult it would also be useful to have some idea how many certificates might be affected. That is, how many certificates were really issued to multiple FQDNs (if a single FQDN the bug described has no effect) more than 8 hours after initial correct CAA checks ? Intuitively this should be almost none, but intuitions can be misleading. Nick. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
