It does not feel right, I agree Mr Hurst. More information from the attack is coming to light, and it is concerning.
To Mozilla: when the full extent of the leak comes out, with the data (and it will) - what will be your threshold for action? Are you expecting '-----begin rsa private key-----' or something less? Risk is posed to all users of Mozilla products (and also Microsoft and Apple and Google who i am sure are having similar thoughts). At very least Entrust should stop issuing certificates - they should have before. why do we trust Entrust here? What will Mozilla do if it comes to light there was a real compromise and huge risk and Mozilla knew privately but did nothing? Is risk to internet users of no concern? Sent with [Proton Mail](https://proton.me/) secure email. ------- Original Message ------- On Monday, August 22nd, 2022 at 16:47, Ryan Hurst <[email protected]> wrote: > While that is positive news I will point out that in past incidenta > compromise of non-issuance related infrastructure enabled attackers to > achieve lateral movement which in turn led to deeper compromises, in some > cases such as DigiNotar, this led to miss-issuance. > > I think if nothing else this begs the question what kind of notification > requirements to the community should exist for such situations. > > It just doesn't feel right that this incident is public and the only details > relating to its impact on the WebPKI is discovered by the community in this > fashion. > > Ryan Hurst > (Personal Capacity) > > On Mon, Aug 22, 2022 at 8:28 AM Ben Wilson <[email protected]> wrote: > >> Actually, Entrust reached out about a month ago with this message to me: >> >> On June 18, 2022, we determined that an unauthorized party accessed certain >> of our systems used for internal operations – functions such as HR, finance, >> and marketing. We promptly began an investigation with the assistance of a >> leading third-party cybersecurity firm and have informed law enforcement. >> >> While our investigation is ongoing, we have found no indication to date that >> the issue has affected the operation or security of our products and >> services, which are run in separate environments from our internal systems >> and are fully operational. Regarding our Public Certification Authority - >> all roots are offline and require multiple security cleared people be >> physically present in a secure room to access. >> >> We take seriously our responsibility to protect our systems and have been >> engaged with our customers on the issue. >> >> As stated, there was no impact to our roots as the roots are offline and can >> only be accessed if two people are physically present in a secure room. >> Also, our PKI system is on a separated infrastructure, so was not accessed. >> >> Since there has been no impact to our PKI and certificate issuance systems, >> which use roots distributed by your application, we did not raise an >> incident. >> >> Ben >> >> On Mon, Aug 22, 2022 at 9:26 AM 'LB' via [email protected] >> <[email protected]> wrote: >> >>> Given news that Entrust were subject to a ransomware attack, which until >>> now they have not confirmed or given any details on in public - what point >>> do we need to assume the CAs and CA operations are compromized? >>> >>> Should action be taken by Mozilla to eliminate risk and remove trust in >>> root authority? >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to [email protected]. >>> To view this discussion on the web visit >>> [https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/zEcsmYjEJdXUd-H8gWEsBaGnIx44oLKyjOHxvd7edfkpHSc58eRxXoWH7sfZot5hWqBNaPe-7topJps-0YQQedb1UvuUwvBe4T43dNoSALE%3D%40proton.me](https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/zEcsmYjEJdXUd-H8gWEsBaGnIx44oLKyjOHxvd7edfkpHSc58eRxXoWH7sfZot5hWqBNaPe-7topJps-0YQQedb1UvuUwvBe4T43dNoSALE%3D%40proton.me?utm_medium=email&utm_source=footer). >> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> [https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZmE5vqWKiyXwWHbz-AV5piXM0oshc%3DoVrAAw3MVh_NHw%40mail.gmail.com](https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZmE5vqWKiyXwWHbz-AV5piXM0oshc%3DoVrAAw3MVh_NHw%40mail.gmail.com?utm_medium=email&utm_source=footer). -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3NWDj3HP1779rDQl1tUjIFERNRMjAUZgoVR6msxTHPIqa9hUCmM6W6HbRkJLUq1gNBHC4wuKEzmPNKoSf33gsJmQ7OmopvwgDz97dlMsdbU%3D%40proton.me.
