Re-posting the message below, because it appears that this message did
not get propagated to groups.google.com.
I have filed a bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1412993 -
mozilla.dev.security.policy posts not getting propagated to Google Groups
-----Original Message-----
Sent: Monday, October 30, 2017 1:36 PM
To: mozilla-dev-security-policy
Subject: Incident Report : GlobalSign certificates with ROCA Fingerprint
I wanted to send out a status of where we are on the ROCA vulnerable
certificates issued by GlobalSign. A full report will be coming later
this week once we've completed the revocations, but here is a summary of
the scope and status as it stands right now.
Here's the Timeline:
10/16: Became aware of the ROCA issue via a post to mdsp list.
10/17-18: Created and ran a report over all active SSL certificates in
our database that showed there were 53 vulnerable SSL certificates.
They are all from one customer and they are all under the ".apsch.by"
domain.
10/18: Received link with a list of 35 GlobalSign issued SSL
certificates, all of which were on our report,
https://misissued.com/batch/28/
10/19: Customer was contacted and we let them know about the issue.
These are used within a Tolling system which, if revoked, would result
in substantial disruption of commercial services. They immediately
initiated process to get them replaced; however, due to the location of
the devices and the need to generate the keys using a new process (which
is not vulnerable), they need approximately 2 weeks to perform the
replacement. They have firm plans to complete this by November 3rd.
We're prioritizing the fix to prohibit issuance of additional SSL
certificate with this vulnerability and in the meantime we're running
the report every few days to verify no new certificates were issued with
this vulnerability.
We'll complete the full report as soon as we perform the revocations.
Doug
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy