I've just created a batch for this list on the Revocation Tracker: https://misissued.com/batch/47/
On 22/03/2019 19:05, CERT Coordination Center via dev-security-policy wrote: > Hi folks, > > I'm sharing this information with this list per suggestion of Hanno > Böck. Some time ago we started looking at private keys that are > included with Android apps that are publicly available in the Google > Play store. Some subset of these keys have been used to obtain > certificates from CAs participating in the CT project (as visible on > https://crt.sh) > > The following crt.sh link to keys/certificates that are associated with > the compromised (released to the public) private keys: > > https://crt.sh/?spkisha256=d31922465b3b7a85718752f1ae9bacb7cd1522996b073cd4da2464cdf84f697d > https://crt.sh/?spkisha256=a7c10b71f3c0827222573dcc73dac168d91bf3c564b1f5bd43924baf0472576c > https://crt.sh/?spkisha256=2766f6f5afa36174a08ca27aadaeba6621486960f385bed7ea83173ac2617703 > https://crt.sh/?spkisha256=0cf68ccb3c210c91f742efb4d6091f2467132f33df63b56a8dcb2c84cf9a7502 > https://crt.sh/?spkisha256=84041b5545a35e4bedcb4e1b88e0790dcf70a14abdf5f34d186e3a5656d060b0 > https://crt.sh/?spkisha256=9b4fb504d853e52a1ef4b49a5005d39d4ca5c2e1f98bacedd7befb728d589095 > https://crt.sh/?spkisha256=fddde47bfd018ea5b8b04be6dca332203e776d5249517b8db3acf5fa19abba10 > https://crt.sh/?spkisha256=24184bbe0eadbcfd69b06b0e6f10d07c58413ecdb080cc609469d8a13ad33417 > https://crt.sh/?spkisha256=ebb22a8bd69d1780ec0d74e23c2f83cdd559ef065766dfa80d19be0496ca3e35 > https://crt.sh/?spkisha256=d92b4545299cb1c2426205295a8acc24205bd7a9b7f1ab767c9270d6bed929e9 > https://crt.sh/?spkisha256=7732d4c9781979c2eda1dca14d610f627bf0eb14ad6d9f86c69d8f3a42c39430 > https://crt.sh/?spkisha256=cd6b8f0a1862390bd20dd81e63b266847bf645cdc440f4022fc165e34ff6a7f1 > https://crt.sh/?q=FB:1A:41:67:06:26:2B:99:8A:97:73:9A:FC:C7:E3:77:48:C3:E5:21:47:7E:FD:D5:03:D0:0C:31:C4:95:C5:07 > https://crt.sh/?q=A7:30:9D:E5:1D:44:85:6A:E6:00:74:C3:0F:3E:3E:EA:23:EA:78:2D:84:6C:10:77:0B:1C:8F:24:B3:6D:D4:4D > https://crt.sh/?spkisha256=79c923c2d644eafef947d40d915b42684d35600a71cea6db22e88d7619a7825c > https://crt.sh/?spkisha256=45c363fd97c114bdbaa8444d068a0347d18c862e657dd90e2a48ac978f533015 > https://crt.sh/?spkisha256=8206e318193186cace874b77d4b361ec37940e884d6ca10fca430164da663416 > https://crt.sh/?spkisha256=887b1c8bbfb6d54dc47cf4f2397e07e3ccd850ea26bf3bcd8e269bc5b2917266 > https://crt.sh/?spkisha256=d1a0748edb263fdf9fe8370db55b2669e52dec46cc61f7eec607febce66bba70 > https://crt.sh/?spkisha256=b805cc36a8a84d5f462d8230cb6c05fcd13c7f4d81143c4c58692e1c71ac5c66 > https://crt.sh/?spkisha256=f7f5a035038a3f933998ad503fe3535f823355101181ed51e1a942156a178dc2 > https://crt.sh/?spkisha256=493f34228ad3179e2dad25a392acae4d2dcaebcf633240a9df9d7f4413c4e681 > https://crt.sh/?spkisha256=9b40f2df2dc2bbc5d176cfb7b870342678e19cbf1ab14bef6ea22e20d60ec1b9 > https://crt.sh/?spkisha256=cbcbef7bedeb58b1fd36af2bbf32f3269d8a920d7aa77a4d6f7e5beb7c4b656e > https://crt.sh/?spkisha256=357d37290366067db84ddc291ed15eeb0fef413235101c996a8d6f97e14dfa33 > https://crt.sh/?spkisha256=f8e3776c8f5cd1617faf006e2bfa3b7be3ea11960aa55f7ef72416bde1b7f958 > https://crt.sh/?spkisha256=6e199b309105b8f05f8af089eb9b97d7c4caf2490974c8d4e069a2ca5aca4574 > https://crt.sh/?spkisha256=9b56d3c26284ad6a2faa95ca5f4c13ab69d995abea034bac169146f5401a7a02 > https://crt.sh/?spkisha256=758854a6e58cd778129d56e72617d9312ac4a3bcf9c9b1227a117bb5ea83245e > https://crt.sh/?spkisha256=0a7b4ca246d82b7b1abe7192be4960a1b9d236f59d056dae3c98bd9c147262f9 > https://crt.sh/?spkisha256=b4a95d9b6d13a38c5e1c5002c69084f4de054e9dc2139afb5fa2454b8042147a > https://crt.sh/?q=59:A2:F6:05:11:57:A4:11:03:2E:39:45:2B:35:BF:01:E0:04:03:9E:C4:BA:EE:DE:1A:F8:BE:18:B2:4A:85:25 > https://crt.sh/?spkisha256=6e9bc0bd50ea63c19a0e9f04dea75bcca4f18306fea65859cc0676bfeeed87d5 > https://crt.sh/?spkisha256=45ebf9d2308a2b156e50ec13b0a27abc22124d4c167df730dc871773cdbfe66f > https://crt.sh/?spkisha256=f0a48dd187500284ed98bd9293b3821f60efdf704aed5c14b7c366fc6a02aad9 > https://crt.sh/?spkisha256=07d669c4c024b6e5e1ab0d47e3af705764adb8066ab797ed9be6d690086f0772 > https://crt.sh/?spkisha256=22f6b4e6f9e06687c9df8c9cf4715e7fc58cdf7163d404d2362a4288b7c7e975 > https://crt.sh/?spkisha256=50259dd332075155f9fb4ae2dc23ad193b343941a6efef81d7d2ea2ee1aae1ec > https://crt.sh/?spkisha256=a1c5cd8e193dffe45230254b62e27f4438414b69b439f835fea54f741c6c6f59 > https://crt.sh/?spkisha256=e3e5c7ff15cd52ce05902b8ae42ae08c3257457136756c89a35f7ee8554c9e59 > https://crt.sh/?spkisha256=d1c40311777bdc363fbe01eda747126efd2de188864cdba4ea5c131e1439da6e > https://crt.sh/?spkisha256=c327dc1213ae46b0d3d716bced1d2dc588508a66ae1f032c685d18c12b5a226f > https://crt.sh/?spkisha256=fd1eebe89eb69f45a81eb1fb6bf7216365ff1c138eebad311abcad66c1edf3f9 > https://crt.sh/?spkisha256=1b43aeac546388919f0a08dbbaa76750811d255379b884a19578fd3dc99bf996 > https://crt.sh/?spkisha256=90a3d4ea7c5d74a0ace3ecf8edec3431c2745763b2b01337002f46807d6481fd > https://crt.sh/?q=7F:6B:B5:9D:E2:D5:65:AD:AC:CB:C1:CD:3D:13:E7:4A:97:73:48:BA:1D:B0:5F:FE:22:87:88:1F:B4:05:43:F3 > https://crt.sh/?spkisha256=4064ad789590c24922efb7cd43717894348db4685485105e692de58f85e38a97 > https://crt.sh/?spkisha256=56eac7e904baab457374d00c70014dc7f7f4f60d1bf11b55f04320a62d58c8fc > https://crt.sh/?spkisha256=11aebfc94aef03c6bc8a3311a5adc429c7f1b19d6bbaffe32742d37550e193fb > https://crt.sh/?spkisha256=6cc66786a263aa83ced5b214aeab2b9d5472c6b08ace95cb0523cbbcfff87c0c > https://crt.sh/?spkisha256=c7fe3681e2204933d79a5a2414dda71c87fed6ca54d0b5b305e6167fdb6ef1ff > https://crt.sh/?q=F9:7B:90:9C:BF:12:74:9F:98:39:7E:55:02:79:E9:5D:5B:5E:A5:53:1B:D5:95:D2:1E:35:F5:51:DF:E0:F1:14 > https://crt.sh/?q=7B:EB:60:C1:B3:E0:BA:F2:D3:5B:6D:E1:06:CB:B4:55:EF:5F:74:E6:90:5C:8A:E7:46:C1:BF:86:13:F3:BB:74 > https://crt.sh/?q=D3:88:8C:46:52:54:68:36:46:C4:51:3A:B7:25:50:C5:EC:14:C4:2C:C7:2F:C8:77:0E:8A:F5:64:1A:19:86:D2 > https://crt.sh/?q=53:34:B0:28:37:52:69:70:61:E8:43:40:D4:9B:AC:8D:D3:84:00:2C:2A:07:21:6F:64:78:04:66:B8:71:97:6E > https://crt.sh/?q=7D:F3:B4:61:61:4F:FE:0D:3D:F4:6E:A3:A8:2D:B1:C6:DF:F4:04:81:27:F0:64:12:81:A6:7C:6F:87:B6:67:2D > https://crt.sh/?q=DF:B0:8B:03:5C:13:A1:62:BE:F5:A6:6E:C4:E0:86:7E:79:89:6B:C1:2F:D2:E0:6A:41:67:6B:85:FC:69:B1:69 > https://crt.sh/?q=53:75:89:85:87:23:04:4D:DE:DC:D6:DA:52:E3:93:29:29:56:73:29:05:4B:E7:CC:23:BA:AC:06:2B:02:17:23 > https://crt.sh/?q=A6:89:C5:18:86:1A:7B:4F:22:90:EF:C9:CE:6F:CC:A1:23:24:9E:92:A7:77:0D:7A:80:B7:4B:92:B0:53:FF:B9 > https://crt.sh/?q=4E:BA:A4:9F:9A:87:7D:40:16:84:99:53:6A:EF:67:92:E2:E3:36:18:96:91:C0:F4:6E:3B:3F:36:27:19:D8:73 > https://crt.sh/?spkisha256=447abdbf6fa23f5ec547db36d27759f6df2daea959eac109389e495041a550f7 > https://crt.sh/?spkisha256=8e603d56870cd0d284501138eaa8822442b7e2c8791cb49092666b0b960cf899 > https://crt.sh/?spkisha256=2790448e54f746e813ec7991373bf07f31284c01e69c21d8d8dfbb22f7873e86 > > > We have notified the respective CAs of the key material compromise for > each of the above cases. > > With each of the above cases, the app author has been given plenty of > time to correct their mistake. We have a number of keys where we > haven't yet notified the CAs, due to the fact that we turned off > app-author notification quite a few months ago. (This project would be > a never-ending operation, given the stream of incoming new apps to the > Play store that make the same mistake). > > We plan to re-enable email notifications to app authors in cases where > the private keys are used to obtain certificates, as listed on crt.sh. > And after some amount of time, we'll notify the CAs to indicate key > compromise. The reason for this delay would be to not blind-side site > owners. > > On the other hand, given that the private keys have *already* been > compromised (by way of public release), perhaps it doesn't make sense > for such an embargo. Thoughts? -- Rob Stradling Senior Research & Development Scientist Sectigo Limited _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
