Hi there, Today I published a blog post at https://ian.sh/etugra, describing several serious security issues I discovered in the e-Tugra certificate authority. I was able to obtain access to two e-Tugra administrative systems using default passwords, which disclosed numerous amounts of subscriber PII and verification details, and appeared to impact e-Tugra's domain control validation processes.
I am concerned that it is possible for these trivial vulnerabilities to be present in a publicly-trusted certificate authority. In light of the recent Symantec news <https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments-cert-authority>, certificate authorities are clearly being targeted by nation states, but these vulnerabilities could have been discovered by any amateur security researcher. From what I have seen, I firmly believe that additional security issues likely exist in e-Tugra's infrastructure, and they may already be known to adversaries. The Network and Certificate System Security Requirements require an annual penetration test, or whenever the CA believes there are material changes. Based on this issue, I am concerned that this control is not sufficient to protect certificate authorities against application security issues, and I am concerned that e-Tugra is not following this control. I am also concerned with the lack of vulnerability disclosure programs and bug bounty programs that are operated by CAs in general; indeed no certificate authority at all appears to run a bug bounty program at the moment. I would suggest that e-Tugra be compelled to take remedial actions such as performing a comprehensive penetration test on their external infrastructure, and building processes to ensure that future applications that they deploy are secure. I also believe e-Tugra should ensure that these issues did not have the ability to compromise domain-control validation for any certificates still valid today. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/37cff300-b57a-4b38-82e0-a514b4557b07n%40mozilla.org.
