An incident report was created for this yesterday: https://bugzilla.mozilla.org/show_bug.cgi?id=1620922
> -----Original Message----- > From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On > Behalf Of Matt Palmer via dev-security-policy > Sent: dinsdag 10 maart 2020 1:41 > To: dev-security-policy@lists.mozilla.org > Subject: GlobalSign: Failure to revoke certificate with compromised private key > within 24 hours > > A certificate with a publicly-disclosed private key was reported to GlobalSign for > revocation within the BR-mandated 24 hour period, however the revocation took > place over 46 hours after the report was sent. Several requests for information I > had already provided were made by GlobalSign, however the revocation eventually > took place without any further information being required. Communication from > GlobalSign then appeared to suggest that the certificate had "already" been > revoked, despite timestamps in the CRL indicating otherwise. > > I believe an incident report for this event is warranted, given that GlobalSign was > provided with sufficient information to revoke the certificate in the initial problem > report (based on the fact that revocation eventually took place with no further > information being provided by myself), but failed to do so within the BR-mandated > time period. > > Excuciatingly detailed timeline follows. > > 2020-03-06 21:48:53Z E-mail sent to report-ab...@globalsign.com: > > -----8<----- > Date: Sat, 7 Mar 2020 08:48:53 +1100 > From: Matt Palmer <mpal...@hezmatt.org> > To: report-ab...@globalsign.com > Subject: Problem Report for certificate(s) with compromised private key > > One or more certificates issued by your CA are using a private key which has been > publicly disclosed. The list of affected certificates can be retrieved from > > https://crt.sh/?spkisha256=6a02703a7a2ba3f368a2915305383549cf8ada826242269 > 7d62d5ba410e4d93f > > Included below is a CSR, signed by the compromised private key, demonstrating > proof of possession: > > -----BEGIN CERTIFICATE REQUEST----- > MIIE0TCCArkCAQAwgYsxaTBnBgNVBAMMYFRoZSBrZXkgdGhhdCBzaWduZWQg > dGhp > cyBDU1IgaGFzIGJlZW4gcHVibGljbHkgZGlzY2xvc2VkLiBJdCBzaG91bGQgbm90 > IGJlIHVzZWQgZm9yIGFueSBwdXJwb3NlLjEeMBwGA1UECgwVaHR0cHM6Ly9wd2 > 5l > ZGtleXMuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2OMM6yti > 3q+GhnZsMPYrACVrZWYqn2yz2fH5J6kPONDvHm3P4UgPJb5j0OFUbmng3e41Fw > Wf > QhD7UFbiEtH/fCJLnxuhAlCBZkVTwIBIwIYRpBmSp/shtNBJZvHBPgktF78qQBr5 > HaX9jZOl/z0rLVw42wnzHlMyyeJNCQzBgRqA+Lcgig/9I2qxQvm3C53868i0EE3k > B418D63cEhz6hldoxELt7twoYulwyLk/PXWj/I0qHQZGT1weLD6UXINuxhmcFUDj > 4i5V9UqNWhP4LT/QWjNtqE5y1OOT5qtkczjmSd3TS3GCik3o7v2M7JxwME1T/e/z > unTqhCarZF3HkrN5MxDB/28HsPaSRUpbxzmIUt+GApuVjNWnRW0awlzp8i5wQnmo > x7nNtSSht44DhlWETpPeT3n27LKM64no97aN0NS0LEKc5sFuOcS5sCj5FvsxNm/8 > RhqfQkHXjkhZByTPhYvkQZTTA8Gxsh52Pnr0aTKrNz/fNpcJWzlKvbSmQn7i1Nmn > z6f9cTB3gW9+DjgSq/XjgVZJdGAWD9k5/i+v8b0zSbpprGNh2gkn39QYmWLlS2eu > XhtAhdWAroEBxm5pLA3T50KWcfM1IHsZSHIeneIcR3anUhqnA1vMjZdFdFkX+TCE > n/c6cotq/fESE+ieMdc7NjpTn4w2a+10xHECAwEAAaAAMA0GCSqGSIb3DQEBCw > UA > A4ICAQCnPqJFlaTaNTz0ldS+PepRa8cpf4DXJ/shKBf8ChJ7ivY8+Q6qQWLU4WTM > DSChT+5K2Zlr5LRoIBeTsgyl3345agsPI8BKjw1OpRlxgVsMKlKOd6nCSJPw2NDl > +Ud+s/LbnZJsIn9nb4fQdF+mC4L6Q1GikCkTfQ1SD8RykVgwojiQFwsdaNRy1U2z > uw3QtlYXZ1s/zdgEITBB4x5js1r8+njue3X4hbgmTrnppEpxeaiuKIImLxFCOveo > pv6evi9g8mYCZ2hqvLO2RTO3iTSvbDAgbImr6D0Asem1qdCdNPbhiGXj/kxJNNUQ > P5hb1KmbcdCLIjvMz0+Z6TkIW0q4MowUpUeKx8Y18Pjt9D+nLN9sRLi8vfjvlnt4 > eLENX2156CWMmJQg4n16UjYKaf6dSCvWJYC2TzYJzs+ZEKU71LCkUl/hdj7ZNLtZ > o3Z3C892nPZ56LdJES2wBMFgfMV5EWo4MrriFO7yhpkVp3NlOWkWVjIuTPDsm0g > K > fLVgHQPfgpVR6LT/e2HWISdiogUrACsVFrb5vfehXY2PAewPghkD5Cn3LG6hnXYn > hmjgXDwz2dK5ud3ABJT1UxJtn82o3z3okUDISdeioxw43HBhCQ84p3G+JoRq9x6+ > 2ncweNmCQQ66tsX386ywKpPQJ4/1DrRsOKdSSy7siwwtR437Rg== > -----END CERTIFICATE REQUEST----- > > Please revoke all affected certificates within 24 hours, as per the Baseline > Requirements. > > - Matt > ----->8----- > > 2020-03-06 21:49:04Z E-mail is accepted for delivery by a GlobalSign MX: > > -----8<----- > Mar 6 21:49:04 minotaur postfix/smtp[26026]: 75BC71857EE: > to=<report-ab...@globalsign.com>, > relay=globalsign-com.mail.protection.outlook.com[104.47.93.36]:25, > delay=6.8, delays=0.47/0.01/0.9/5.4, dsn=2.6.0, status=sent (250 2.6.0 > <20200306214853.kpohtnh5y2m3k...@hezmatt.org> [InternalId=34857954577034, > Hostname=HK0PR03MB2755.apcprd03.prod.outlook.com] 10967 bytes in 3.479, > 3.078 KB/sec Queued mail for delivery) > ----->8----- > > 2020-03-06 21:49:15Z Auto-ack e-mail received from GlobalSign: > > -----8<----- > Dear Matt Palmer, > > Thank you for reporting this issue to GlobalSign. Case #04076325: "Problem > Report for certificate(s) with compromised private key" has been created and a > GlobalSign representative will investigate this immediately. If requested you will > receive a response from a designated representative as soon as possible. > > Thank you, > Customer Service Team GlobalSign > ----->8----- > > 2020-03-06 22:08:06Z Human response from GlobalSign: > > -----8<----- > Hello, > > Thank you for contacting GlobalSign. > > We have received your report of certificate abuse. GlobalSign takes these > accusations very seriously. We will be opening an investigation and will keep you > updated on any advances we make. > > Sincerely, > Akshit Bhambota > GlobalSign Support Team > ----->8----- > > 2020-03-06 22:21:22Z A rather odd form-looking e-mail is sent from > GlobalSign: > > -----8<----- > Hello, > > Thank you for submitting your report regarding the suspected fraudulent activity or > misuse of a GlobalSign certificate. In furtherance of this, we will require additional > information to help us investigate further. > > Order ID: ___________________________ > Serial # : ____________________________ > Domain/Common Name: __________________________ > > > GlobalSign takes these accusations very seriously and if the use of a certificate is > deemed to be in violation of our policies, we have the right to revoke the certificate > under the terms of our Subscriber Agreement. > GlobalSign may revoke the certificate if no action is taken by the certificate owner. > > If you have any questions about this report, please contact our support team > anytime by responding to this email, live chat at www.globalsign.com(live chat > button) or reach us to any of the numbers from this page > https://www.globalsign.com/en/company/contact/ > > We will keep you posted for updates. > Sincerely, > GlobalSign Support Team > ref:_00D20BO9n._5003Y1quzXh:ref > ----->8----- > > How exactly I'm supposed to know the Order ID of the certificate to be revoked is > quite beyond me, while the serial number and domain name(s) of the certificate in > question were available from the crt.sh link I provided in my initial e-mail. > > 2020-03-06 22:59:58Z Another form-looking e-mail is sent from > GlobalSign: > > -----8<----- > Hello, > > Thank you for submitting your report regarding the suspected fraudulent activity or > misuse of a GlobalSign certificate. In furtherance of this, we will require additional > information to help us investigate further. > > If you can provide me location of the private key or the link that would be great. > > Order ID: ___________________________ > Serial # : ____________________________ > Domain/Common Name: __________________________ > > > GlobalSign takes these accusations very seriously and if the use of a certificate is > deemed to be in violation of our policies, we have the right to revoke the certificate > under the terms of our Subscriber Agreement. GlobalSign may revoke the > certificate if no action is taken by the certificate owner. > > If you have any questions about this report, please contact our support team > anytime by responding to this email, live chat at www.globalsign.com(live chat > button) or reach us to any of the numbers from this page > https://www.globalsign.com/en/company/contact/ > > We will keep you posted for updates. > Sincerely, > GlobalSign Support Team > > --------------- Original Message --------------- > From: Report - Abuse [report-ab...@globalsign.com] > Sent: 3/7/2020 3:51 AM > To: mpal...@hezmatt.org > Subject: Problem Report for certificate(s) with compromised private key [ ] > > Hello, > > Thank you for submitting your report regarding the suspected fraudulent activity or > misuse of a GlobalSign certificate. In furtherance of this, we will require additional > information to help us investigate further. > > Order ID: ___________________________ > Serial # : ____________________________ > Domain/Common Name: __________________________ > > > GlobalSign takes these accusations very seriously and if the use of a certificate is > deemed to be in violation of our policies, we have the right to revoke the certificate > under the terms of our Subscriber Agreement. GlobalSign may revoke the > certificate if no action is taken by the certificate owner. > > If you have any questions about this report, please contact our support team > anytime by responding to this email, live chat at www.globalsign.com(live chat > button) or reach us to any of the numbers from this page > https://www.globalsign.com/en/company/contact/ > > We will keep you posted for updates. > Sincerely, > GlobalSign Support Team > ref:_00D20BO9n._5003Y1quzXh:ref > ----->8----- > > Yes, GlobalSign quoted their own e-mail to send more-or-less the same request for > information already provided and/or unknowable by me, except this time with an > additional invitation to submit a private key over unsecured e-mail. > > 2020-03-07 14:26:28Z Yet another form-looking e-mail from GlobalSign: > > -----8<----- > Hello, > > This is the follow up email for case you created with GlobalSign Please reply us so > we can investigate as soon as possible. > > Thank you for submitting your report regarding the suspected fraudulent activity or > misuse of a GlobalSign certificate. In furtherance of this, we will require additional > information to help us investigate further. > > If you can provide us location of the private key or the link from where you > download the private key would be great. > > Order ID: ___________________________ > Serial # : ____________________________ > Domain/Common Name: __________________________ > > > GlobalSign takes these accusations very seriously and if the use of a certificate is > deemed to be in violation of our policies, we have the right to revoke the certificate > under the terms of our Subscriber Agreement. GlobalSign may revoke the > certificate if no action is taken by the certificate owner. > > If you have any questions about this report, please contact our support team > anytime by responding to this email, live chat at www.globalsign.com(live chat > button) or reach us to any of the numbers from this page > https://www.globalsign.com/en/company/contact/ > > We will keep you posted for updates. > Sincerely, > GlobalSign Support Team > > --------------- Original Message --------------- > From: Report - Abuse [report-ab...@globalsign.com] > Sent: 3/7/2020 4:29 AM > To: mpal...@hezmatt.org > Subject: RE: Problem Report for certificate(s) with compromised private key [ > ref:_00D20BO9n._5003Y1quzXh: [ ] > > Hello, > > Thank you for submitting your report regarding the suspected fraudulent activity or > misuse of a GlobalSign certificate. In furtherance of this, we will require additional > information to help us investigate further. > > If you can provide me location of the private key or the link that would be great. > > Order ID: ___________________________ > Serial # : ____________________________ > Domain/Common Name: __________________________ > > > GlobalSign takes these accusations very seriously and if the use of a certificate is > deemed to be in violation of our policies, we have the right to revoke the certificate > under the terms of our Subscriber Agreement. GlobalSign may revoke the > certificate if no action is taken by the certificate owner. > > If you have any questions about this report, please contact our support team > anytime by responding to this email, live chat at www.globalsign.com(live chat > button) or reach us to any of the numbers from this page > https://www.globalsign.com/en/company/contact/ > > We will keep you posted for updates. > Sincerely, > GlobalSign Support Team > > --------------- Original Message --------------- > From: Report - Abuse [report-ab...@globalsign.com] > Sent: 3/7/2020 3:51 AM > To: mpal...@hezmatt.org > Subject: Problem Report for certificate(s) with compromised private key [ ] > > Hello, > > Thank you for submitting your report regarding the suspected fraudulent activity or > misuse of a GlobalSign certificate. In furtherance of this, we will require additional > information to help us investigate further. > > Order ID: ___________________________ > Serial # : ____________________________ > Domain/Common Name: __________________________ > > > GlobalSign takes these accusations very seriously and if the use of a certificate is > deemed to be in violation of our policies, we have the right to revoke the certificate > under the terms of our Subscriber Agreement. GlobalSign may revoke the > certificate if no action is taken by the certificate owner. > > If you have any questions about this report, please contact our support team > anytime by responding to this email, live chat at www.globalsign.com(live chat > button) or reach us to any of the numbers from this page > https://www.globalsign.com/en/company/contact/ > > We will keep you posted for updates. > Sincerely, > GlobalSign Support Team > ref:_00D20BO9n._5003Y1quzXh:ref > ----->8----- > > As far as I can tell, this was practically the same request as they had sent > previously, just worded slightly differently. > > 2020-03-08 00:42:05Z I notice the interesting stream of e-mails from GlobalSign > that had arrived, and reply to the last of them as follows: > > -----8<----- > Date: Sun, 8 Mar 2020 11:42:05 +1100 > From: "mpal...@hezmatt.org" <mpal...@hezmatt.org> > To: Report - Abuse <report-ab...@globalsign.com> > Subject: Re: Problem Report for certificate(s) with compromised private key [ > ref:_00D20BO9n._5003Y1quzXh: [ ref:_00D20BO9n._5003Y1quzXh:ref ] > > The information you seek can be found from the crt.sh link I provided in the > original report. > > - Matt > > [Quoted e-mails from GlobalSign elided] > ----->8----- > > 2020-03-08 20:12:32Z Certificate is revoked by GlobalSign. (timestamp taken from > the CRL revocation date on https://crt.sh/?id=2522275549) > > 2020-03-09 11:03:28Z E-mail received from GlobalSign: > > -----8<----- > Hello Matt, > > GlobalSign has received a report of abuse linked to certificate with common name > www.lunarisecraft.ru. > > This is to inform you that the said certificate has already been revoked from our > records. > > If you have any questions concerning this report, please contact our report abuse > team anytime by responding to this email or emailing us directly at report- > ab...@globalsign.com. > > Sincerely, > GlobalSign Support Team > ----->8----- > > Time from initial report sent (2020-03-06 21:48:53Z) to the revocation timestamp > published in a CRL (2020-03-08 20:12:32Z): 46h 23m 32s > > - Matt > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
