On 17/07/17 16:14, Jonathan Rudenberg via dev-security-policy wrote:
This certificate, issued by “Intesa Sanpaolo CA Servizi Esterni Enhanced” which
chains up to a Baltimore CyberTrust root, contains an invalid dnsName of
“www.intesasanpaolovita..biz” (note the two dots):
https://crt.sh/?q=2B95B474A2646CA28DC244F1AE829C850EA41CF64C75E11A94FE8D228735977B&opt=cablint,x509lint
This raises some questions about the technical controls in place for issuance
from this CA.
Yesterday evening Jonathan privately made me aware of a leaf certificate
(https://crt.sh/?id=73190674) with two SAN:dNSNames that contain
consecutive dots, which was issued by a Comodo intermediate. He found
this cert using the crt.sh DB's lint records.
This morning Robin and I have investigated this bug in our code and
we've taken the following actions:
- We've deployed a hotfix to our CA system to prevent any further
"double dot" mis-issuances.
- We've confirmed that the bug only affected labels to the left of
the registrable domain. (e.g., dNSNames of the form www..domain.com
were not always rejected, but those of the form www.domain..com were
always rejected).
- We've performed an exhaustive search of our certificate database
and found 2 further unexpired leaf certificates that exhibit this
"double dot" problem. I've submitted both of them to some CT logs:
https://crt.sh/?id=174668364
https://crt.sh/?id=174668366
We will revoke all 3 of these leaf certificates ASAP.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
