All, I have opened an issue in Github to begin work on drafting reporting requirements for CA operators that encounter cyberattacks and other kinds of security-related incidents. See https://github.com/mozilla/pkipolicy/issues/252 (Add Requirements for Reporting Attacks and other Security Incidents).
Ben On Tue, Aug 23, 2022 at 1:58 PM Matthias Merkel <[email protected]> wrote: > Absolutely, it is important that CAs are transparent about these > incidents, that's why I said "if handled properly" - but I don't think that > was an issue here? I understand that Entrust has not provided many details, > but they did not hide the breach either. Removing CAs for non-critical > security breaches that are being properly handled and disclosed would > probably achieve the opposite, i.e. CAs trying to hide them completely. > > Maybe there should be a policy that requires CAs to disclose incidents not > involving CA operations on Bugzilla in detail like they do mis-issuances? > > Matthias Merkel > > On Tue, Aug 23, 2022 at 9:52 PM Jeffrey Walton <[email protected]> wrote: > >> >> >> On Tuesday, August 23, 2022 at 2:58:53 PM UTC-4 [email protected] >> wrote: >> >>> I agree that even considering removing a CA just because of a compromise >>> unrelated to CA infrastructure is completely inappropriate if the breach >>> has been handled well. >>> >>> As long as a breach is handled properly and learned from, there should >>> be no reason to take such drastic measures, especially if no misissuance >>> occurred. At least this allows for security problems to be resolved. >>> >>> If we remove every CA that ever had any incident of any kind, we will >>> end up with only new CAs that likely have even more security problems, just >>> ones no one has discovered yet. >>> >> >> I think you may be missing the bigger picture. The industry is built upon >> trust. Lack of transparency has some people concerned. I really don't trust >> companies when they say "trust us...". It makes the hair on the back of my >> neck stand up. >> >> "Trust us" failed with DigiNotar, and it failed with Symantec when they >> were repeatedly caught issuing certificates for domains not under their >> administrative control. Once the trust is lost the commodity the company is >> peddling evaporates. >> >> If Firefox or Chrome has a bug, the browsers are transparent about it. It >> usually lands in the bug tracker or change log. Everyone knows about due to >> the transparency. It is easy to trust a browser because we can verify it. >> >> Jeff >> >> >>> On Tue, 23 Aug 2022, 20:53 Phillip Hallam-Baker, <[email protected]> >>> wrote: >>> >>>> Is Mozilla going to hold itself accountable to whatever absurd >>>> maximalist requirements come from the game of 'beat up the third party >>>> because we have power here'? >>>> >>>> Browsers have bugs. The result of a coding error that permits a script >>>> injection or buffer run attack is at least as serious as any error or >>>> omission by any CA. In my experience, those are found with much higher >>>> frequency than CA errors or omissions. >>>> >>>> The issue with DigiNotar was not that they were breached, it was that >>>> they lied about it. The breach itself was a lot more serious because of the >>>> way they had configured their internal systems but even that might have >>>> been fixable if they hadn't lied about the breach. >>>> >>>> I haven't worked for a CA for several years now. I do Threshold Key >>>> Infrastructure these days. >>>> >>>> On Tue, Aug 23, 2022 at 10:46 AM 'LB' via [email protected] < >>>> [email protected]> wrote: >>>> >>>>> It does not feel right, I agree Mr Hurst. >>>>> >>>>> More information from the attack is coming to light, and it is >>>>> concerning. >>>>> >>>>> To Mozilla: when the full extent of the leak comes out, with the data >>>>> (and it will) - what will be your threshold for action? Are you expecting >>>>> '-----begin rsa private key-----' or something less? >>>>> >>>>> Risk is posed to all users of Mozilla products (and also Microsoft and >>>>> Apple and Google who i am sure are having similar thoughts). >>>>> >>>>> At very least Entrust should stop issuing certificates - they should >>>>> have before. >>>>> why do we trust Entrust here? >>>>> >>>>> What will Mozilla do if it comes to light there was a real compromise >>>>> and huge risk and Mozilla knew privately but did nothing? Is risk to >>>>> internet users of no concern? >>>>> >>>>> Sent with Proton Mail <https://proton.me/> secure email. >>>>> >>>>> ------- Original Message ------- >>>>> On Monday, August 22nd, 2022 at 16:47, Ryan Hurst <[email protected]> >>>>> wrote: >>>>> >>>>> While that is positive news I will point out that in past incidenta >>>>> compromise of non-issuance related infrastructure enabled attackers to >>>>> achieve lateral movement which in turn led to deeper compromises, in some >>>>> cases such as DigiNotar, this led to miss-issuance. >>>>> >>>>> I think if nothing else this begs the question what kind of >>>>> notification requirements to the community should exist for such >>>>> situations. >>>>> >>>>> It just doesn't feel right that this incident is public and the only >>>>> details relating to its impact on the WebPKI is discovered by the >>>>> community >>>>> in this fashion. >>>>> >>>>> Ryan Hurst >>>>> (Personal Capacity) >>>>> >>>>> On Mon, Aug 22, 2022 at 8:28 AM Ben Wilson <[email protected]> wrote: >>>>> >>>>>> Actually, Entrust reached out about a month ago with this message to >>>>>> me: >>>>>> >>>>>> *On June 18, 2022, we determined that an unauthorized party accessed >>>>>> certain of our systems used for internal operations – functions such as >>>>>> HR, >>>>>> finance, and marketing. We promptly began an investigation with the >>>>>> assistance of a leading third-party cybersecurity firm and have informed >>>>>> law enforcement. * >>>>>> >>>>>> *While our investigation is ongoing, we have found no indication to >>>>>> date that the issue has affected the operation or security of our >>>>>> products >>>>>> and services, which are run in separate environments from our internal >>>>>> systems and are fully operational. Regarding our Public Certification >>>>>> Authority - all roots are offline and require multiple security cleared >>>>>> people be physically present in a secure room to access.* >>>>>> >>>>>> *We take seriously our responsibility to protect our systems and have >>>>>> been engaged with our customers on the issue. * >>>>>> >>>>>> As stated, there was no impact to our roots as the roots are offline >>>>>> and can only be accessed if two people are physically present in a secure >>>>>> room. Also, our PKI system is on a separated infrastructure, so was not >>>>>> accessed. >>>>>> >>>>>> Since there has been no impact to our PKI and certificate issuance >>>>>> systems, which use roots distributed by your application, we did not >>>>>> raise >>>>>> an incident. >>>>>> >>>>>> On Mon, Aug 22, 2022 at 9:26 AM 'LB' via [email protected] < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> Given news that Entrust were subject to a ransomware attack, which >>>>>>> until now they have not confirmed or given any details on in public - >>>>>>> what >>>>>>> point do we need to assume the CAs and CA operations are compromized? >>>>>>> >>>>>>> Should action be taken by Mozilla to eliminate risk and remove trust >>>>>>> in root authority? >>>>>>> >>>>>>> >>> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ac21e5cc-5c5f-483e-b2ea-8305e929728bn%40mozilla.org >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ac21e5cc-5c5f-483e-b2ea-8305e929728bn%40mozilla.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKtZuQ5XF-7pFkfYsvZ8P%2B-HJ2qe8kLwwjxtChPt3wmSR8718A%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKtZuQ5XF-7pFkfYsvZ8P%2B-HJ2qe8kLwwjxtChPt3wmSR8718A%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYkO%3DkeiAXL1sekp%2Bw%2BaxGd8nqSN4Mr1jnKLOYja%2BWR%2BQ%40mail.gmail.com.
