Thank you for the disclosure Daymion. I have created bug 1484766 to track this issue. I've requested an incident report to help the community better understand what happened and what can and is being done to prevent similar problems in the future, as described in the last two topics [1]:
6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now. 7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things. - Wayne [1] https://wiki.mozilla.org/CA/Responding_To_An_Incident#Incident_Report On Mon, Aug 20, 2018 at 9:26 AM Daymion Reynolds via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Saturday, August 18, 2018 at 2:27:05 PM UTC-7, Ben Laurie wrote: > > On Fri, 17 Aug 2018 at 18:22, Daymion Reynolds via dev-security-policy < > > dev-security-policy@lists.mozilla.org> wrote: > > > > > Revoke Disclosure > > > > > > GoDaddy has been proactively performing self-audits. As part of this > > > process, we identified a vulnerability in our code that would allow our > > > validation controls to be bypassed. This bug would allow for a Random > Value > > > that was generated for intended use with Method 3.2.2.4.6 and > 3.2.2.4.7 and > > > was validated using Method 3.2.2.4.2 by persons who were not confirmed > as > > > the domain contact. This bug was introduced November 2014 and was > leveraged > > > to issue a total of 865 certificates. The bug was closed hours after > > > identification, and in parallel we started the scope and revocation > > > activities. > > > > > > In accordance with CA/B Forum BR, section 4.9.1.1, all miss-issued > > > certificates were revoked within 24 hours of identification. > > > > > > A timeline of the Events for Revocation are as follows: > > > > > > 8/13 9:30am – Exploit issue surfaced as possible revocation event. > > > 8/13 9:30-4pm – Issue scope identification (at this point it was > unknown), > > > gathering certificate list > > > 8/13 4pm – Certificate list finalized for revoke total 825 certs, > Revoke > > > notification sent to cert owners. > > > > > > > I presume you mean domain owners? > > > > Do we know if any of these certs were used? If so, how? > > > > > > > 8/14 1:30pm – All certificates revoked. > > > > > > Further research identified 40 certificates which contained re-use of > > > suspect validation information. > > > 8/15 – 2pm – Additional certificates identified due to re-use. > > > 8/15 – 2:30pm – Customers notified of pending revoke. > > > 8/16 – 12:30pm – All certificated revoked. > > > > > > We stand ready to answer any questions or concerns. > > > Daymion > > > > > Yes, domain owners. > > Yes, some of the certs were being used as typical server certs. We have > not detected any nefarious activities. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
