RE: Misissued/Suspicious Symantec Certificates

[Steve Medin]

The listed Symantec certificates were issued by one of our WebTrust audited
partners. We have reduced this partner's privileges to restrict further
issuance while we review this matter. We revoked all reported certificates
which were still valid that had not previously been revoked within the 24
hour CA/B Forum guideline - these certificates each had "O=test". Our
investigation is continuing.

> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Andrew Ayer
> Sent: Thursday, January 19, 2017 4:46 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Misissued/Suspicious Symantec Certificates
> 
> I. Misissued certificates for example.com
> 
> On 2016-07-14, Symantec misissued the following certificates for
> example.com:
> 
>   https://clicktime.symantec.com/a/1/LyhH99FiQBwyOqKcts8QGJ75k6
> TPEC_N7jOPRSjGhkA=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D=https%3A%2F%2Fcrt.sh%2F%
> 3Fsha256%3DA8F14F52CC1282D7153A13316E7DA39E6AE37B1A10C16288B902
> 4A9B9DC3C4C6
>   https://clicktime.symantec.com/a/1/_X1-
> P9bvSq0r_QG43YQ6BwhHeeRl4IrY8ebwWh9HWiQ=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D=https%3A%2F%2Fcrt.sh%2F%
> 3Fsha256%3D8B5956C57FDCF720B6907A4B1BC8CA2E46CD90EAD5C061A426C
> F48A6117BFBFA
>   https://clicktime.symantec.com/a/1/1ux2sxPZpTNuRjN4JV5qOj0550
> RDi16i7NLrqi0eFaY=?d=6VMu_T-sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D=https%3A%2F%2Fcrt.sh%2F%
> 3Fsha256%3D94482136A1400BC3A1136FECA3E79D4D200E03DD20B245D19F0E
> 78B5679EAF48
>   https://clicktime.symantec.com/a/1/YT02EQBzJ13G0VwF_VLruHbKA
> Ep4LXe40icNc0DLwUA=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D=https%3A%2F%2Fcrt.sh%2F%
> 3Fsha256%3DC69AB04C1B20E6FC7861C67476CADDA1DAE7A8DCF6E23E15311
> C2D2794BFCD11
> 
> I confirmed with ICANN, the owner of example.com, that they did not
> authorize these certificates.  These certificates were already revoked at
the
> time I found them.
> 
> 
> II. Suspicious certificates for domains containing the word "test"
> 
> On 2016-11-15 and 2016-10-26, Symantec issued certificates for various
> domains containing the word "test" which I strongly suspect were
> misissued:
> 
>   https://clicktime.symantec.com/a/1/_0lsjfT3DHqxu1QJl2eBU5zx948r
> qJmGy-bHkTlww3c=?d=6VMu_T-sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D=https%3A%2F%2Fcrt.sh%2F%
> 3Fsha256%3Db81f339b971eb763cfc686adbac5c164b89ad03f8afb55da9604fd0
> d416bbd21
>   https://clicktime.symantec.com/a/1/uF90PPzN7N3_lTMmPb8YzXKK
> AfWPKKNmpvo_prjlE3Y=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> 

Re: Misissued/Suspicious Symantec Certificates

[Nick Lamb]

On Thursday, 19 January 2017 21:46:38 UTC, Andrew Ayer  wrote:
> 2. The third certificate in the list above contains a SAN for
> DNS:*.crosscert.com - note that three of the misissued example.com
> certificates contain "Crosscert" in their Subject Organization.

Crosscert aka Korea Electronic Certification Authority, Inc. has applied to the 
Mozilla root programme and was identified as a "Super CA" which I understand to 
mean that they themselves just sign other CA certificates for third parties. 

Of course these certificates were issued by Symantec as a member of Mozilla's 
root programme, all responsibility for ensuring their CA doesn't issue bogus 
certificates lies with Symantec, not with Crosscert.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy