Re: .tg Certificates Issued by Let's Encrypt

Sat, 04 Nov 2017 12:55:17 -0700 

On 11/4/17 5:36 AM, Daniel Cater wrote:

I notice that on https://crt.sh/mozilla-onecrl there are lots of certificates 
that have recently been added to OneCRL from the .tg TLD (Togo), including ones 
for high-profile domains such as google.tg. The issuances occurred 3 days ago, 
on 1st November.

I don't see a thread already for this here, or on https://letsencrypt.org/blog/ 
so I thought I would start one.


From the check-in comment "registry problems", I assume that this is a problem 
with the TLD rather than with Let's Encrypt.


As OneCRL and CRLSets are public this information is being noticed. There is 
likely a large overlap between the people that read this group and the people 
that monitor those lists. That said, be mindful of posting any specific 
technical vulnerabilities or exploits which may not yet be patched.
As you have noticed based on OneCRL and crt.sh, there was a problem with the *.tg registry, and SSL certificates were issued to domains in *.tg that probably should not have been issued. As you can see, the Let's Encrypt CA was made aware of the problem and has already responded by revoking the impacted certs, and we have added entries for those certs to OneCRL. Unfortunately, the CT data shows that other CAs also recently issued certs containing *.tg domains.
I have not personally spoken with the people at the *.tg registry yet, but my understanding is that the problem has been fixed on their end.
This is a new scenario to me -- having a problem at a registry that results in SSL certs being issued that otherwise would not have been issued. So I am trying to figure out how to respond to it. For example, should I send email to only the CAs who are showing up in CT and crt.sh as having issued SSL certs for the *.tg TLD within the past few days? Or should I send an email blast out to all CAs in Mozilla's program?
I think those CAs need to re-validate their recently issued SSL certs that contain any *.tg domains, and possibly revoke such certs and send us the info so corresponding entries can be added to OneCRL. But, as this is new to me, I will appreciate thoughtful and constructive input in this. 

Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to