The listed Symantec certificates were issued by one of our WebTrust audited
partners. We have reduced this partner's privileges to restrict further
issuance while we review this matter. We revoked all reported certificates
which were still valid that had not previously been revoked within the 24
hour CA/B Forum guideline - these certificates each had "O=test". Our
investigation is continuing.
> -Original Message-
> From: dev-security-policy [mailto:dev-security-policy-
> bounces+steve_medin=symantec@lists.mozilla.org] On Behalf Of
> Andrew Ayer
> Sent: Thursday, January 19, 2017 4:46 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Misissued/Suspicious Symantec Certificates
>
> I. Misissued certificates for example.com
>
> On 2016-07-14, Symantec misissued the following certificates for
> example.com:
>
> https://clicktime.symantec.com/a/1/LyhH99FiQBwyOqKcts8QGJ75k6
> TPEC_N7jOPRSjGhkA=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D=https%3A%2F%2Fcrt.sh%2F%
> 3Fsha256%3DA8F14F52CC1282D7153A13316E7DA39E6AE37B1A10C16288B902
> 4A9B9DC3C4C6
> https://clicktime.symantec.com/a/1/_X1-
> P9bvSq0r_QG43YQ6BwhHeeRl4IrY8ebwWh9HWiQ=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D=https%3A%2F%2Fcrt.sh%2F%
> 3Fsha256%3D8B5956C57FDCF720B6907A4B1BC8CA2E46CD90EAD5C061A426C
> F48A6117BFBFA
> https://clicktime.symantec.com/a/1/1ux2sxPZpTNuRjN4JV5qOj0550
> RDi16i7NLrqi0eFaY=?d=6VMu_T-sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D=https%3A%2F%2Fcrt.sh%2F%
> 3Fsha256%3D94482136A1400BC3A1136FECA3E79D4D200E03DD20B245D19F0E
> 78B5679EAF48
> https://clicktime.symantec.com/a/1/YT02EQBzJ13G0VwF_VLruHbKA
> Ep4LXe40icNc0DLwUA=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D=https%3A%2F%2Fcrt.sh%2F%
> 3Fsha256%3DC69AB04C1B20E6FC7861C67476CADDA1DAE7A8DCF6E23E15311
> C2D2794BFCD11
>
> I confirmed with ICANN, the owner of example.com, that they did not
> authorize these certificates. These certificates were already revoked at
the
> time I found them.
>
>
> II. Suspicious certificates for domains containing the word "test"
>
> On 2016-11-15 and 2016-10-26, Symantec issued certificates for various
> domains containing the word "test" which I strongly suspect were
> misissued:
>
> https://clicktime.symantec.com/a/1/_0lsjfT3DHqxu1QJl2eBU5zx948r
> qJmGy-bHkTlww3c=?d=6VMu_T-sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
> mWmiY1RlN6aQDk-q60Cy76Au0CHjeYa4qo0N7e7Pbcw_OwHSJmMQEw-
> s1RBUJ4y6oFf9cEpLQYDcTs0wQjUve2_zzbI9paFZA-
> 4MBZn0OAqSr0fdyihKQa3NGk1XSLahRHT9H7YKUQRhaX3y6FotZjUaGOWboG
> oYn8PQTT6koyyBuC-
> 044fxL0XE8xRruYOPBELAZNVU7IzdE2id8hrzrFn7l2jmuWLTxkW-
> AQ15CZUebkaGsbll_tyh8jDt08gBNpnPtXVKTMbDEYJw-
> p1P3j3Zh6JpKCiC3jVpJ69E80VUm5h1S79Gwhy6xG1BYx6pTfwpQ3h1_jVWXz3
> NLXmybP77Lu56CC_6htKsu1YTZVPIbw%3D=https%3A%2F%2Fcrt.sh%2F%
> 3Fsha256%3Db81f339b971eb763cfc686adbac5c164b89ad03f8afb55da9604fd0
> d416bbd21
> https://clicktime.symantec.com/a/1/uF90PPzN7N3_lTMmPb8YzXKK
> AfWPKKNmpvo_prjlE3Y=?d=6VMu_T-
> sR5eKmPW2WR2IXMmMu2l3NuU1xwSCzx-
> S8H67_QVReqcePQ_O3DgBf_CHNp7acC3LqzelBaMae64LokDHJrk3XCy9cJBj7
>