On Tue, Jun 6, 2023 at 7:54 AM Israr Ahmed <[email protected]> wrote: > > Dear Mozilla community members, > > E-Tugra treated this incident with utmost seriousness upon its report, taking > immediate actions as acknowledged by Ian Carroll on November 18, 2022 > https://groups.google.com/a/ccadb.org/g/public/c/SXAeHT04TFc/m/AJ8S0XuXAwAJ?utm_medium=email&utm_source=footer > > It is important to note that the exploited application did not have any > impact on the certificate life cycle process.
Is ordering certificates not part of the lifecycle process? >Specifically, the validation of DV certificates is directly handled by >SSL.com, without involving E-Tugra. This seems to suggest that we should continue that happy state of affairs. > > In response to the incident, we conducted comprehensive investigations to > identify any potential presence of attackers and took the necessary steps to > safeguard the integrity of our infrastructure and protect our users' data. > Further details regarding the actions taken can be found: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1801345#c18 > > We acknowledge that there were administrative weaknesses in our > responsiveness to the community and forums, as well as the completion of the > pen testing exercise leading to frustration. \\ Is there some other competent security team at E-Tugra that would respond to a breach of your issuing infrastructure? >However, we want to emphasize that the information provided was fully >transparent, and nothing was concealed from the community. I would not describe the incident report as a model of clarity: it's 2 pages, with plenty of whitespace and thinks "Nov 13, 2022: The issues were fixed immediately" is an adequate timeline entry. That's after 5 days to write it. >We have already shared this information with both Chrome and Mozilla Root >programs . While we are willing to share the requested information with the >root store, we maintain our stance that there was no exploitation in the >certificate life cycle process. Therefore, we kindly request that root stores >consider our request to remain listed. > > We can confirm that [email protected] and [email protected] represent > E-Tugra as [email protected] and [email protected]. The duplicate > comment was a result of a technical issue where the page did not immediately > reflect the posted comment, and it was subsequently posted by another > representative, leading to its duplication. > > We strongly believe in collaborative work with root stores and community > members. We are open to highlighting any information or details that can > benefit the community, and we are fully prepared to provide it. We have the > necessary evidence, which will be presented to auditors during the upcoming > audit (end of July). The audit report will address this incident and related > security issues. Audit reports are an important aspect of the process. I think we should distrust e-trust: there is no reason not to. Sincerely, Watson Ladd -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0cn35RKk3Fk1tspBAcQQGcBZuQjs9mbQyD1pJ29meFHhsw%40mail.gmail.com.
