Incident Report : GlobalSign certificates with ROCA Fingerprint

Tue, 31 Oct 2017 16:29:26 -0700

Re-posting the message below, because it appears that this message did not get propagated to groups.google.com. 

I have filed a bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1412993 - mozilla.dev.security.policy posts not getting propagated to Google Groups 


-----Original Message-----
Sent: Monday, October 30, 2017 1:36 PM
To: mozilla-dev-security-policy
Subject: Incident Report : GlobalSign certificates with ROCA Fingerprint


I wanted to send out a status of where we are on the ROCA vulnerable 
certificates issued by GlobalSign.  A full report will be coming later 
this week once we've completed the revocations, but here is a summary of 
the scope and status as it stands right now.


Here's the Timeline:

10/16: Became aware of the ROCA issue via a post to mdsp list.


10/17-18: Created and ran a report over all active SSL certificates in 
our database that showed there were 53 vulnerable SSL certificates. 
They are all from one customer and they are all under the  ".apsch.by" 
domain.



10/18: Received link with a list of 35 GlobalSign issued SSL 
certificates, all of which were on our report, 
https://misissued.com/batch/28/



10/19: Customer was contacted and we let them know about the issue. 
These are used within a Tolling system which, if revoked, would result 
in substantial disruption of commercial services.  They immediately 
initiated process to get them replaced; however, due to the location of 
the devices and the need to generate the keys using a new process (which 
is not vulnerable), they need approximately 2 weeks to perform the 
replacement.  They have firm plans to complete this by November 3rd.



We're prioritizing the fix to prohibit issuance of additional SSL 
certificate with this vulnerability and in the meantime we're running 
the report every few days to verify no new certificates were issued with 
this vulnerability.


We'll complete the full report as soon as we perform the revocations.

Doug

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to