Hi, I guess this is of interest to the members of this list: https://www.golem.de/news/microsoft-dynamics-365-wildcard-certificate-with-a-private-key-for-everyone-1712-131544.html https://medium.com/matthias-gliwka/microsoft-leaks-tls-private-key-for-cloud-erp-product-10b56f7d648
tl;dr Microsoft used a shared wildcard certificate in a cloud ERP product (Dynamics 365 for Operations). In the "sandbox" version customers were allowed to log in via RDP and thus it was possible to extract the private key. The finder of this bug tried several months unsuccessfully to inform Microsoft about this issue. Eventually he got in contact with me, I reported it to Mozilla's bugzilla and it was sorted out. https://bugzilla.mozilla.org/show_bug.cgi?id=1421820 The certificate was issued indirectly by DigiCert. This raises imho again an interesting issue about Sub-CAs. The BRs say that after a private key compromise a cert shall be revoked within 24 hours. This clearly didn't happen. While it is probably no big deal if it takes sometimes a bit longer, in this case it was several months. So I wonder: If a CA signs an intermediate - are they responsible making sure that reports brought to the subca are properly handled? -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy