On 11/4/17 5:36 AM, Daniel Cater wrote:
I notice that on https://crt.sh/mozilla-onecrl there are lots of certificates
that have recently been added to OneCRL from the .tg TLD (Togo), including ones
for high-profile domains such as google.tg. The issuances occurred 3 days ago,
on 1st November.
I don't see a thread already for this here, or on https://letsencrypt.org/blog/
so I thought I would start one.
From the check-in comment "registry problems", I assume that this is a problem
with the TLD rather than with Let's Encrypt.
As OneCRL and CRLSets are public this information is being noticed. There is
likely a large overlap between the people that read this group and the people
that monitor those lists. That said, be mindful of posting any specific
technical vulnerabilities or exploits which may not yet be patched.
As you have noticed based on OneCRL and crt.sh, there was a problem with
the *.tg registry, and SSL certificates were issued to domains in *.tg
that probably should not have been issued. As you can see, the Let's
Encrypt CA was made aware of the problem and has already responded by
revoking the impacted certs, and we have added entries for those certs
to OneCRL. Unfortunately, the CT data shows that other CAs also recently
issued certs containing *.tg domains.
I have not personally spoken with the people at the *.tg registry yet,
but my understanding is that the problem has been fixed on their end.
This is a new scenario to me -- having a problem at a registry that
results in SSL certs being issued that otherwise would not have been
issued. So I am trying to figure out how to respond to it. For example,
should I send email to only the CAs who are showing up in CT and crt.sh
as having issued SSL certs for the *.tg TLD within the past few days? Or
should I send an email blast out to all CAs in Mozilla's program?
I think those CAs need to re-validate their recently issued SSL certs
that contain any *.tg domains, and possibly revoke such certs and send
us the info so corresponding entries can be added to OneCRL. But, as
this is new to me, I will appreciate thoughtful and constructive input
in this.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy