Hi folks, I'm sharing this information with this list per suggestion of Hanno Böck. Some time ago we started looking at private keys that are included with Android apps that are publicly available in the Google Play store. Some subset of these keys have been used to obtain certificates from CAs participating in the CT project (as visible on https://crt.sh)
The following crt.sh link to keys/certificates that are associated with the compromised (released to the public) private keys: https://crt.sh/?spkisha256=d31922465b3b7a85718752f1ae9bacb7cd1522996b073cd4da2464cdf84f697d https://crt.sh/?spkisha256=a7c10b71f3c0827222573dcc73dac168d91bf3c564b1f5bd43924baf0472576c https://crt.sh/?spkisha256=2766f6f5afa36174a08ca27aadaeba6621486960f385bed7ea83173ac2617703 https://crt.sh/?spkisha256=0cf68ccb3c210c91f742efb4d6091f2467132f33df63b56a8dcb2c84cf9a7502 https://crt.sh/?spkisha256=84041b5545a35e4bedcb4e1b88e0790dcf70a14abdf5f34d186e3a5656d060b0 https://crt.sh/?spkisha256=9b4fb504d853e52a1ef4b49a5005d39d4ca5c2e1f98bacedd7befb728d589095 https://crt.sh/?spkisha256=fddde47bfd018ea5b8b04be6dca332203e776d5249517b8db3acf5fa19abba10 https://crt.sh/?spkisha256=24184bbe0eadbcfd69b06b0e6f10d07c58413ecdb080cc609469d8a13ad33417 https://crt.sh/?spkisha256=ebb22a8bd69d1780ec0d74e23c2f83cdd559ef065766dfa80d19be0496ca3e35 https://crt.sh/?spkisha256=d92b4545299cb1c2426205295a8acc24205bd7a9b7f1ab767c9270d6bed929e9 https://crt.sh/?spkisha256=7732d4c9781979c2eda1dca14d610f627bf0eb14ad6d9f86c69d8f3a42c39430 https://crt.sh/?spkisha256=cd6b8f0a1862390bd20dd81e63b266847bf645cdc440f4022fc165e34ff6a7f1 https://crt.sh/?q=FB:1A:41:67:06:26:2B:99:8A:97:73:9A:FC:C7:E3:77:48:C3:E5:21:47:7E:FD:D5:03:D0:0C:31:C4:95:C5:07 https://crt.sh/?q=A7:30:9D:E5:1D:44:85:6A:E6:00:74:C3:0F:3E:3E:EA:23:EA:78:2D:84:6C:10:77:0B:1C:8F:24:B3:6D:D4:4D https://crt.sh/?spkisha256=79c923c2d644eafef947d40d915b42684d35600a71cea6db22e88d7619a7825c https://crt.sh/?spkisha256=45c363fd97c114bdbaa8444d068a0347d18c862e657dd90e2a48ac978f533015 https://crt.sh/?spkisha256=8206e318193186cace874b77d4b361ec37940e884d6ca10fca430164da663416 https://crt.sh/?spkisha256=887b1c8bbfb6d54dc47cf4f2397e07e3ccd850ea26bf3bcd8e269bc5b2917266 https://crt.sh/?spkisha256=d1a0748edb263fdf9fe8370db55b2669e52dec46cc61f7eec607febce66bba70 https://crt.sh/?spkisha256=b805cc36a8a84d5f462d8230cb6c05fcd13c7f4d81143c4c58692e1c71ac5c66 https://crt.sh/?spkisha256=f7f5a035038a3f933998ad503fe3535f823355101181ed51e1a942156a178dc2 https://crt.sh/?spkisha256=493f34228ad3179e2dad25a392acae4d2dcaebcf633240a9df9d7f4413c4e681 https://crt.sh/?spkisha256=9b40f2df2dc2bbc5d176cfb7b870342678e19cbf1ab14bef6ea22e20d60ec1b9 https://crt.sh/?spkisha256=cbcbef7bedeb58b1fd36af2bbf32f3269d8a920d7aa77a4d6f7e5beb7c4b656e https://crt.sh/?spkisha256=357d37290366067db84ddc291ed15eeb0fef413235101c996a8d6f97e14dfa33 https://crt.sh/?spkisha256=f8e3776c8f5cd1617faf006e2bfa3b7be3ea11960aa55f7ef72416bde1b7f958 https://crt.sh/?spkisha256=6e199b309105b8f05f8af089eb9b97d7c4caf2490974c8d4e069a2ca5aca4574 https://crt.sh/?spkisha256=9b56d3c26284ad6a2faa95ca5f4c13ab69d995abea034bac169146f5401a7a02 https://crt.sh/?spkisha256=758854a6e58cd778129d56e72617d9312ac4a3bcf9c9b1227a117bb5ea83245e https://crt.sh/?spkisha256=0a7b4ca246d82b7b1abe7192be4960a1b9d236f59d056dae3c98bd9c147262f9 https://crt.sh/?spkisha256=b4a95d9b6d13a38c5e1c5002c69084f4de054e9dc2139afb5fa2454b8042147a https://crt.sh/?q=59:A2:F6:05:11:57:A4:11:03:2E:39:45:2B:35:BF:01:E0:04:03:9E:C4:BA:EE:DE:1A:F8:BE:18:B2:4A:85:25 https://crt.sh/?spkisha256=6e9bc0bd50ea63c19a0e9f04dea75bcca4f18306fea65859cc0676bfeeed87d5 https://crt.sh/?spkisha256=45ebf9d2308a2b156e50ec13b0a27abc22124d4c167df730dc871773cdbfe66f https://crt.sh/?spkisha256=f0a48dd187500284ed98bd9293b3821f60efdf704aed5c14b7c366fc6a02aad9 https://crt.sh/?spkisha256=07d669c4c024b6e5e1ab0d47e3af705764adb8066ab797ed9be6d690086f0772 https://crt.sh/?spkisha256=22f6b4e6f9e06687c9df8c9cf4715e7fc58cdf7163d404d2362a4288b7c7e975 https://crt.sh/?spkisha256=50259dd332075155f9fb4ae2dc23ad193b343941a6efef81d7d2ea2ee1aae1ec https://crt.sh/?spkisha256=a1c5cd8e193dffe45230254b62e27f4438414b69b439f835fea54f741c6c6f59 https://crt.sh/?spkisha256=e3e5c7ff15cd52ce05902b8ae42ae08c3257457136756c89a35f7ee8554c9e59 https://crt.sh/?spkisha256=d1c40311777bdc363fbe01eda747126efd2de188864cdba4ea5c131e1439da6e https://crt.sh/?spkisha256=c327dc1213ae46b0d3d716bced1d2dc588508a66ae1f032c685d18c12b5a226f https://crt.sh/?spkisha256=fd1eebe89eb69f45a81eb1fb6bf7216365ff1c138eebad311abcad66c1edf3f9 https://crt.sh/?spkisha256=1b43aeac546388919f0a08dbbaa76750811d255379b884a19578fd3dc99bf996 https://crt.sh/?spkisha256=90a3d4ea7c5d74a0ace3ecf8edec3431c2745763b2b01337002f46807d6481fd https://crt.sh/?q=7F:6B:B5:9D:E2:D5:65:AD:AC:CB:C1:CD:3D:13:E7:4A:97:73:48:BA:1D:B0:5F:FE:22:87:88:1F:B4:05:43:F3 https://crt.sh/?spkisha256=4064ad789590c24922efb7cd43717894348db4685485105e692de58f85e38a97 https://crt.sh/?spkisha256=56eac7e904baab457374d00c70014dc7f7f4f60d1bf11b55f04320a62d58c8fc https://crt.sh/?spkisha256=11aebfc94aef03c6bc8a3311a5adc429c7f1b19d6bbaffe32742d37550e193fb https://crt.sh/?spkisha256=6cc66786a263aa83ced5b214aeab2b9d5472c6b08ace95cb0523cbbcfff87c0c https://crt.sh/?spkisha256=c7fe3681e2204933d79a5a2414dda71c87fed6ca54d0b5b305e6167fdb6ef1ff https://crt.sh/?q=F9:7B:90:9C:BF:12:74:9F:98:39:7E:55:02:79:E9:5D:5B:5E:A5:53:1B:D5:95:D2:1E:35:F5:51:DF:E0:F1:14 https://crt.sh/?q=7B:EB:60:C1:B3:E0:BA:F2:D3:5B:6D:E1:06:CB:B4:55:EF:5F:74:E6:90:5C:8A:E7:46:C1:BF:86:13:F3:BB:74 https://crt.sh/?q=D3:88:8C:46:52:54:68:36:46:C4:51:3A:B7:25:50:C5:EC:14:C4:2C:C7:2F:C8:77:0E:8A:F5:64:1A:19:86:D2 https://crt.sh/?q=53:34:B0:28:37:52:69:70:61:E8:43:40:D4:9B:AC:8D:D3:84:00:2C:2A:07:21:6F:64:78:04:66:B8:71:97:6E https://crt.sh/?q=7D:F3:B4:61:61:4F:FE:0D:3D:F4:6E:A3:A8:2D:B1:C6:DF:F4:04:81:27:F0:64:12:81:A6:7C:6F:87:B6:67:2D https://crt.sh/?q=DF:B0:8B:03:5C:13:A1:62:BE:F5:A6:6E:C4:E0:86:7E:79:89:6B:C1:2F:D2:E0:6A:41:67:6B:85:FC:69:B1:69 https://crt.sh/?q=53:75:89:85:87:23:04:4D:DE:DC:D6:DA:52:E3:93:29:29:56:73:29:05:4B:E7:CC:23:BA:AC:06:2B:02:17:23 https://crt.sh/?q=A6:89:C5:18:86:1A:7B:4F:22:90:EF:C9:CE:6F:CC:A1:23:24:9E:92:A7:77:0D:7A:80:B7:4B:92:B0:53:FF:B9 https://crt.sh/?q=4E:BA:A4:9F:9A:87:7D:40:16:84:99:53:6A:EF:67:92:E2:E3:36:18:96:91:C0:F4:6E:3B:3F:36:27:19:D8:73 https://crt.sh/?spkisha256=447abdbf6fa23f5ec547db36d27759f6df2daea959eac109389e495041a550f7 https://crt.sh/?spkisha256=8e603d56870cd0d284501138eaa8822442b7e2c8791cb49092666b0b960cf899 https://crt.sh/?spkisha256=2790448e54f746e813ec7991373bf07f31284c01e69c21d8d8dfbb22f7873e86 We have notified the respective CAs of the key material compromise for each of the above cases. With each of the above cases, the app author has been given plenty of time to correct their mistake. We have a number of keys where we haven't yet notified the CAs, due to the fact that we turned off app-author notification quite a few months ago. (This project would be a never-ending operation, given the stream of incoming new apps to the Play store that make the same mistake). We plan to re-enable email notifications to app authors in cases where the private keys are used to obtain certificates, as listed on crt.sh. And after some amount of time, we'll notify the CAs to indicate key compromise. The reason for this delay would be to not blind-side site owners. On the other hand, given that the private keys have *already* been compromised (by way of public release), perhaps it doesn't make sense for such an embargo. Thoughts? -- Thank you, Will Dormann ============================= Vulnerability Analyst CERT Coordination Center 4500 Fifth Ave. Pittsburgh, PA 15213 1-412-268-7090 =============================
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
