RE: GlobalSign: Failure to revoke certificate with compromised private key within 24 hours

2020-03-10 Thread Arvid Vermote via dev-security-policy 
An incident report was created for this yesterday:
https://bugzilla.mozilla.org/show_bug.cgi?id=1620922

> -Original Message-
> From: dev-security-policy 
On
> Behalf Of Matt Palmer via dev-security-policy
> Sent: dinsdag 10 maart 2020 1:41
> To: dev-security-policy@lists.mozilla.org
> Subject: GlobalSign: Failure to revoke certificate with compromised
private key
> within 24 hours
> 
> A certificate with a publicly-disclosed private key was reported to
GlobalSign for
> revocation within the BR-mandated 24 hour period, however the revocation
took
> place over 46 hours after the report was sent.  Several requests for
information I
> had already provided were made by GlobalSign, however the revocation
eventually
> took place without any further information being required.  Communication
from
> GlobalSign then appeared to suggest that the certificate had "already"
been
> revoked, despite timestamps in the CRL indicating otherwise.
> 
> I believe an incident report for this event is warranted, given that
GlobalSign was
> provided with sufficient information to revoke the certificate in the
initial problem
> report (based on the fact that revocation eventually took place with no
further
> information being provided by myself), but failed to do so within the
BR-mandated
> time period.
> 
> Excuciatingly detailed timeline follows.
> 
> 2020-03-06 21:48:53Z E-mail sent to report-ab...@globalsign.com:
> 
> -8<-
> Date: Sat, 7 Mar 2020 08:48:53 +1100
> From: Matt Palmer 
> To: report-ab...@globalsign.com
> Subject: Problem Report for certificate(s) with compromised private key
> 
> One or more certificates issued by your CA are using a private key which
has been
> publicly disclosed.  The list of affected certificates can be retrieved
from
> 
> https://crt.sh/?spkisha256=6a02703a7a2ba3f368a2915305383549cf8ada826242269
> 7d62d5ba410e4d93f
> 
> Included below is a CSR, signed by the compromised private key,
demonstrating
> proof of possession:
> 
> -BEGIN CERTIFICATE REQUEST-
> MIIE0TCCArkCAQAwgYsxaTBnBgNVBAMMYFRoZSBrZXkgdGhhdCBzaWduZWQg
> dGhp
> cyBDU1IgaGFzIGJlZW4gcHVibGljbHkgZGlzY2xvc2VkLiBJdCBzaG91bGQgbm90
> IGJlIHVzZWQgZm9yIGFueSBwdXJwb3NlLjEeMBwGA1UECgwVaHR0cHM6Ly9wd2
> 5l
> ZGtleXMuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2OMM6yti
> 3q+GhnZsMPYrACVrZWYqn2yz2fH5J6kPONDvHm3P4UgPJb5j0OFUbmng3e41Fw
> Wf
> QhD7UFbiEtH/fCJLnxuhAlCBZkVTwIBIwIYRpBmSp/shtNBJZvHBPgktF78qQBr5
> HaX9jZOl/z0rLVw42wnzHlMyyeJNCQzBgRqA+Lcgig/9I2qxQvm3C53868i0EE3k
> B418D63cEhz6hldoxELt7twoYulwyLk/PXWj/I0qHQZGT1weLD6UXINuxhmcFUDj
> 4i5V9UqNWhP4LT/QWjNtqE5y1OOT5qtkczjmSd3TS3GCik3o7v2M7JxwME1T/e/z
> unTqhCarZF3HkrN5MxDB/28HsPaSRUpbxzmIUt+GApuVjNWnRW0awlzp8i5wQnmo
> x7nNtSSht44DhlWETpPeT3n27LKM64no97aN0NS0LEKc5sFuOcS5sCj5FvsxNm/8
> RhqfQkHXjkhZByTPhYvkQZTTA8Gxsh52Pnr0aTKrNz/fNpcJWzlKvbSmQn7i1Nmn
> z6f9cTB3gW9+DjgSq/XjgVZJdGAWD9k5/i+v8b0zSbpprGNh2gkn39QYmWLlS2eu
> XhtAhdWAroEBxm5pLA3T50KWcfM1IHsZSHIeneIcR3anUhqnA1vMjZdFdFkX+TCE
> n/c6cotq/fESE+ieMdc7NjpTn4w2a+10xHECAwEAAaAAMA0GCSqGSIb3DQEBCw
> UA
> A4ICAQCnPqJFlaTaNTz0ldS+PepRa8cpf4DXJ/shKBf8ChJ7ivY8+Q6qQWLU4WTM
> DSChT+5K2Zlr5LRoIBeTsgyl3345agsPI8BKjw1OpRlxgVsMKlKOd6nCSJPw2NDl
> +Ud+s/LbnZJsIn9nb4fQdF+mC4L6Q1GikCkTfQ1SD8RykVgwojiQFwsdaNRy1U2z
> uw3QtlYXZ1s/zdgEITBB4x5js1r8+njue3X4hbgmTrnppEpxeaiuKIImLxFCOveo
> pv6evi9g8mYCZ2hqvLO2RTO3iTSvbDAgbImr6D0Asem1qdCdNPbhiGXj/kxJNNUQ
> P5hb1KmbcdCLIjvMz0+Z6TkIW0q4MowUpUeKx8Y18Pjt9D+nLN9sRLi8vfjvlnt4
> eLENX2156CWMmJQg4n16UjYKaf6dSCvWJYC2TzYJzs+ZEKU71LCkUl/hdj7ZNLtZ
> o3Z3C892nPZ56LdJES2wBMFgfMV5EWo4MrriFO7yhpkVp3NlOWkWVjIuTPDsm0g
> K
> fLVgHQPfgpVR6LT/e2HWISdiogUrACsVFrb5vfehXY2PAewPghkD5Cn3LG6hnXYn
> hmjgXDwz2dK5ud3ABJT1UxJtn82o3z3okUDISdeioxw43HBhCQ84p3G+JoRq9x6+
> 2ncweNmCQQ66tsX386ywKpPQJ4/1DrRsOKdSSy7siwwtR437Rg==
> -END CERTIFICATE REQUEST-
> 
> Please revoke all affected certificates within 24 hours, as per the
Baseline
> Requirements.
> 
> - Matt
> ->8-
> 
> 2020-03-06 21:49:04Z E-mail is accepted for delivery by a GlobalSign MX:
> 
> -8<-
> Mar  6 21:49:04 minotaur postfix/smtp[26026]: 75BC71857EE:
> to=,
> relay=globalsign-com.mail.protection.outlook.com[104.47.93.36]:25,
> delay=6.8, delays=0.47/0.01/0.9/5.4, dsn=2.6.0, status=sent (250 2.6.0
> <20200306214853.kpohtnh5y2m3k...@hezmatt.org> [InternalId=34857954577034,
> Hostname=HK0PR03MB2755.apcprd03.prod.outlook.com] 10967 bytes in 3.479,
> 3.078 KB/sec Queued mail for delivery)
> ->8-
> 
> 2020-03-06 21:49:15Z Auto-ack e-mail received from GlobalSign:
> 
> -8<-
> Dear Matt Palmer,
> 
> Thank you for reporting this issue to GlobalSign.  Case #04076325:
"Problem
> Report for certificate(s) w

GlobalSign: Failure to revoke certificate with compromised private key within 24 hours

2020-03-09 Thread Matt Palmer via dev-security-policy 
A certificate with a publicly-disclosed private key was reported to
GlobalSign for revocation within the BR-mandated 24 hour period, however the
revocation took place over 46 hours after the report was sent.  Several
requests for information I had already provided were made by GlobalSign,
however the revocation eventually took place without any further information
being required.  Communication from GlobalSign then appeared to suggest that
the certificate had "already" been revoked, despite timestamps in the CRL
indicating otherwise.

I believe an incident report for this event is warranted, given that
GlobalSign was provided with sufficient information to revoke the
certificate in the initial problem report (based on the fact that revocation
eventually took place with no further information being provided by myself),
but failed to do so within the BR-mandated time period.

Excuciatingly detailed timeline follows.

2020-03-06 21:48:53Z E-mail sent to report-ab...@globalsign.com:

-8<-
Date: Sat, 7 Mar 2020 08:48:53 +1100
From: Matt Palmer 
To: report-ab...@globalsign.com
Subject: Problem Report for certificate(s) with compromised private key

One or more certificates issued by your CA are using a private key which has
been publicly disclosed.  The list of affected certificates can be retrieved
from

https://crt.sh/?spkisha256=6a02703a7a2ba3f368a2915305383549cf8ada8262422697d62d5ba410e4d93f

Included below is a CSR, signed by the compromised private key,
demonstrating proof of possession:

-BEGIN CERTIFICATE REQUEST-
MIIE0TCCArkCAQAwgYsxaTBnBgNVBAMMYFRoZSBrZXkgdGhhdCBzaWduZWQgdGhp
cyBDU1IgaGFzIGJlZW4gcHVibGljbHkgZGlzY2xvc2VkLiBJdCBzaG91bGQgbm90
IGJlIHVzZWQgZm9yIGFueSBwdXJwb3NlLjEeMBwGA1UECgwVaHR0cHM6Ly9wd25l
ZGtleXMuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2OMM6yti
3q+GhnZsMPYrACVrZWYqn2yz2fH5J6kPONDvHm3P4UgPJb5j0OFUbmng3e41FwWf
QhD7UFbiEtH/fCJLnxuhAlCBZkVTwIBIwIYRpBmSp/shtNBJZvHBPgktF78qQBr5
HaX9jZOl/z0rLVw42wnzHlMyyeJNCQzBgRqA+Lcgig/9I2qxQvm3C53868i0EE3k
B418D63cEhz6hldoxELt7twoYulwyLk/PXWj/I0qHQZGT1weLD6UXINuxhmcFUDj
4i5V9UqNWhP4LT/QWjNtqE5y1OOT5qtkczjmSd3TS3GCik3o7v2M7JxwME1T/e/z
unTqhCarZF3HkrN5MxDB/28HsPaSRUpbxzmIUt+GApuVjNWnRW0awlzp8i5wQnmo
x7nNtSSht44DhlWETpPeT3n27LKM64no97aN0NS0LEKc5sFuOcS5sCj5FvsxNm/8
RhqfQkHXjkhZByTPhYvkQZTTA8Gxsh52Pnr0aTKrNz/fNpcJWzlKvbSmQn7i1Nmn
z6f9cTB3gW9+DjgSq/XjgVZJdGAWD9k5/i+v8b0zSbpprGNh2gkn39QYmWLlS2eu
XhtAhdWAroEBxm5pLA3T50KWcfM1IHsZSHIeneIcR3anUhqnA1vMjZdFdFkX+TCE
n/c6cotq/fESE+ieMdc7NjpTn4w2a+10xHECAwEAAaAAMA0GCSqGSIb3DQEBCwUA
A4ICAQCnPqJFlaTaNTz0ldS+PepRa8cpf4DXJ/shKBf8ChJ7ivY8+Q6qQWLU4WTM
DSChT+5K2Zlr5LRoIBeTsgyl3345agsPI8BKjw1OpRlxgVsMKlKOd6nCSJPw2NDl
+Ud+s/LbnZJsIn9nb4fQdF+mC4L6Q1GikCkTfQ1SD8RykVgwojiQFwsdaNRy1U2z
uw3QtlYXZ1s/zdgEITBB4x5js1r8+njue3X4hbgmTrnppEpxeaiuKIImLxFCOveo
pv6evi9g8mYCZ2hqvLO2RTO3iTSvbDAgbImr6D0Asem1qdCdNPbhiGXj/kxJNNUQ
P5hb1KmbcdCLIjvMz0+Z6TkIW0q4MowUpUeKx8Y18Pjt9D+nLN9sRLi8vfjvlnt4
eLENX2156CWMmJQg4n16UjYKaf6dSCvWJYC2TzYJzs+ZEKU71LCkUl/hdj7ZNLtZ
o3Z3C892nPZ56LdJES2wBMFgfMV5EWo4MrriFO7yhpkVp3NlOWkWVjIuTPDsm0gK
fLVgHQPfgpVR6LT/e2HWISdiogUrACsVFrb5vfehXY2PAewPghkD5Cn3LG6hnXYn
hmjgXDwz2dK5ud3ABJT1UxJtn82o3z3okUDISdeioxw43HBhCQ84p3G+JoRq9x6+
2ncweNmCQQ66tsX386ywKpPQJ4/1DrRsOKdSSy7siwwtR437Rg==
-END CERTIFICATE REQUEST-

Please revoke all affected certificates within 24 hours, as per the Baseline
Requirements.

- Matt
->8-

2020-03-06 21:49:04Z E-mail is accepted for delivery by a GlobalSign MX:

-8<-
Mar  6 21:49:04 minotaur postfix/smtp[26026]: 75BC71857EE:
to=,
relay=globalsign-com.mail.protection.outlook.com[104.47.93.36]:25,
delay=6.8, delays=0.47/0.01/0.9/5.4, dsn=2.6.0, status=sent (250 2.6.0
<20200306214853.kpohtnh5y2m3k...@hezmatt.org> [InternalId=34857954577034,
Hostname=HK0PR03MB2755.apcprd03.prod.outlook.com] 10967 bytes in 3.479,
3.078 KB/sec Queued mail for delivery)
->8-

2020-03-06 21:49:15Z Auto-ack e-mail received from GlobalSign:

-8<-
Dear Matt Palmer,

Thank you for reporting this issue to GlobalSign.  Case #04076325: "Problem
Report for certificate(s) with compromised private key" has been created and
a GlobalSign representative will investigate this immediately.  If requested
you will receive a response from a designated representative as soon as
possible.

Thank you,
Customer Service Team  GlobalSign
->8-

2020-03-06 22:08:06Z Human response from GlobalSign:

-8<-
Hello,

Thank you for contacting GlobalSign.

We have received your report of certificate abuse.  GlobalSign takes these
accusations very seriously.  We will be opening an investigation and will
keep you updated on any advances we make.

Sincerely,
Akshit Bhambota
GlobalSign Support Team
->8-

2020-03-06 22:21:22Z A rather odd form-looking e-mail is sent from
GlobalSign:

-8<-
Hello,

Thank you for submitting your report regarding the suspected fraudulent
activity or misuse of a GlobalSign certificate.  In furtherance of this, we
will require additional information to