Hi Wayne, Sorry about the delay in getting back to you. This first round of CA notifications went out at approximately 10AM Eastern time on March 25, 2019.
I just sent out a new set of notifications. This time the notifications were limited only currently-valid certificates, as expired-cert notification was an oversight in the first batch. This second list is: ----- https://crt.sh/?spkisha256=f2da5b49d3df3ebd9fe910c9972eea948f2d55f2f36c42658462f4b7aabe38a5 https://crt.sh/?spkisha256=3198c26a22ed9d9602dad91e50dad40d67dcdae8075d2f7fca0c8b025c4a563b https://crt.sh/?spkisha256=1dbbd0bf172681ea65ef078865e6f38864e4b40282e9eff72d756383a7b21c51 https://crt.sh/?spkisha256=ccf794fb078d757d59073173daec5ef7ba34a21ecdaa0f61761a21f5736a0fc7 https://crt.sh/?spkisha256=8628d8106b72c39d98e8e731fc3b9364940efea0dfbb4816b1382542a979c834 https://crt.sh/?spkisha256=c108876bca95ab02a0a3d10c7e38981cfc97789922a93bc3fed2a5734e93e97f https://crt.sh/?spkisha256=876b1175c135cd388d5b596985129a27967bdbbbe92c615ae9cdc7e33d6dfc62 https://crt.sh/?spkisha256=71e1d2ce60955944b522ac4d9674e078f98a07e8edaaf1219c4324660e39139a https://crt.sh/?q=DC:66:CB:49:F6:DD:A8:13:5C:9D:7A:9E:F0:8A:1F:F7:6B:56:C2:57:88:20:6A:C4:63:F3:76:5B:47:7A:79:C7 https://crt.sh/?spkisha256=f7e6d9d6a0e18d4ba0526068f9a80e8a7bdbba1191a6bf6e0384545b57edd45c https://crt.sh/?spkisha256=98087a0e49cc3f232aa0e79ed84ec26e4ce07e5bca4e2913f2ff986b25ac4f57 https://crt.sh/?spkisha256=d2e4cf3dbf22f164f2301525a9ba6c2185926717c0a930abf322356bfd75e593 https://crt.sh/?spkisha256=fa362787ec3d1c185602d45e364fa3aa9049a6d54a15aa58302d123f37de621e https://crt.sh/?spkisha256=f5d5f1cdb56cbac9f7306469ca7380f16226b60689d288cc5154962c55bc1605 https://crt.sh/?spkisha256=a808916ae117cb5ef2c7e73ee11cff0231be1f706106110ca51df4e3914e8b24 ----- This second batch of notifications went out to the respective CAs at approximately 10:30AM Eastern time today (April 3, 2019) -- Thank you, Will Dormann ============================= Vulnerability Analyst CERT Coordination Center 4500 Fifth Ave. Pittsburgh, PA 15213 1-412-268-7090 ============================= On 3/25/2019 8:44 PM, Wayne Thayer wrote: > Thank you for the report Will and for the tracking info Rob. > > It appears that all but one of these certificates is currently revoked, but > roughly 5 more weren't revoked until earlier today, which I assume was more > than 24 hours since they were reported to the CA. > > Will: can you share an approximate date/time when these certificates were > reported to the CAs? You should have also received a preliminary report > from the CAs within 24 hours as described in BR section 4.9.5. > > - Wayne > > On Mon, Mar 25, 2019 at 6:11 AM Rob Stradling via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> I've just created a batch for this list on the Revocation Tracker: >> >> https://misissued.com/batch/47/ >> >> On 22/03/2019 19:05, CERT Coordination Center via dev-security-policy >> wrote: >>> Hi folks, >>> >>> I'm sharing this information with this list per suggestion of Hanno >>> Böck. Some time ago we started looking at private keys that are >>> included with Android apps that are publicly available in the Google >>> Play store. Some subset of these keys have been used to obtain >>> certificates from CAs participating in the CT project (as visible on >>> https://crt.sh) >>> >>> The following crt.sh link to keys/certificates that are associated with >>> the compromised (released to the public) private keys: >>> >>> >> https://crt.sh/?spkisha256=d31922465b3b7a85718752f1ae9bacb7cd1522996b073cd4da2464cdf84f697d >>> >> https://crt.sh/?spkisha256=a7c10b71f3c0827222573dcc73dac168d91bf3c564b1f5bd43924baf0472576c >>> >> https://crt.sh/?spkisha256=2766f6f5afa36174a08ca27aadaeba6621486960f385bed7ea83173ac2617703 >>> >> https://crt.sh/?spkisha256=0cf68ccb3c210c91f742efb4d6091f2467132f33df63b56a8dcb2c84cf9a7502 >>> >> https://crt.sh/?spkisha256=84041b5545a35e4bedcb4e1b88e0790dcf70a14abdf5f34d186e3a5656d060b0 >>> >> https://crt.sh/?spkisha256=9b4fb504d853e52a1ef4b49a5005d39d4ca5c2e1f98bacedd7befb728d589095 >>> >> https://crt.sh/?spkisha256=fddde47bfd018ea5b8b04be6dca332203e776d5249517b8db3acf5fa19abba10 >>> >> https://crt.sh/?spkisha256=24184bbe0eadbcfd69b06b0e6f10d07c58413ecdb080cc609469d8a13ad33417 >>> >> https://crt.sh/?spkisha256=ebb22a8bd69d1780ec0d74e23c2f83cdd559ef065766dfa80d19be0496ca3e35 >>> >> https://crt.sh/?spkisha256=d92b4545299cb1c2426205295a8acc24205bd7a9b7f1ab767c9270d6bed929e9 >>> >> https://crt.sh/?spkisha256=7732d4c9781979c2eda1dca14d610f627bf0eb14ad6d9f86c69d8f3a42c39430 >>> >> https://crt.sh/?spkisha256=cd6b8f0a1862390bd20dd81e63b266847bf645cdc440f4022fc165e34ff6a7f1 >>> >> https://crt.sh/?q=FB:1A:41:67:06:26:2B:99:8A:97:73:9A:FC:C7:E3:77:48:C3:E5:21:47:7E:FD:D5:03:D0:0C:31:C4:95:C5:07 >>> >> https://crt.sh/?q=A7:30:9D:E5:1D:44:85:6A:E6:00:74:C3:0F:3E:3E:EA:23:EA:78:2D:84:6C:10:77:0B:1C:8F:24:B3:6D:D4:4D >>> >> https://crt.sh/?spkisha256=79c923c2d644eafef947d40d915b42684d35600a71cea6db22e88d7619a7825c >>> >> https://crt.sh/?spkisha256=45c363fd97c114bdbaa8444d068a0347d18c862e657dd90e2a48ac978f533015 >>> >> https://crt.sh/?spkisha256=8206e318193186cace874b77d4b361ec37940e884d6ca10fca430164da663416 >>> >> https://crt.sh/?spkisha256=887b1c8bbfb6d54dc47cf4f2397e07e3ccd850ea26bf3bcd8e269bc5b2917266 >>> >> https://crt.sh/?spkisha256=d1a0748edb263fdf9fe8370db55b2669e52dec46cc61f7eec607febce66bba70 >>> >> https://crt.sh/?spkisha256=b805cc36a8a84d5f462d8230cb6c05fcd13c7f4d81143c4c58692e1c71ac5c66 >>> >> https://crt.sh/?spkisha256=f7f5a035038a3f933998ad503fe3535f823355101181ed51e1a942156a178dc2 >>> >> https://crt.sh/?spkisha256=493f34228ad3179e2dad25a392acae4d2dcaebcf633240a9df9d7f4413c4e681 >>> >> https://crt.sh/?spkisha256=9b40f2df2dc2bbc5d176cfb7b870342678e19cbf1ab14bef6ea22e20d60ec1b9 >>> >> https://crt.sh/?spkisha256=cbcbef7bedeb58b1fd36af2bbf32f3269d8a920d7aa77a4d6f7e5beb7c4b656e >>> >> https://crt.sh/?spkisha256=357d37290366067db84ddc291ed15eeb0fef413235101c996a8d6f97e14dfa33 >>> >> https://crt.sh/?spkisha256=f8e3776c8f5cd1617faf006e2bfa3b7be3ea11960aa55f7ef72416bde1b7f958 >>> >> https://crt.sh/?spkisha256=6e199b309105b8f05f8af089eb9b97d7c4caf2490974c8d4e069a2ca5aca4574 >>> >> https://crt.sh/?spkisha256=9b56d3c26284ad6a2faa95ca5f4c13ab69d995abea034bac169146f5401a7a02 >>> >> https://crt.sh/?spkisha256=758854a6e58cd778129d56e72617d9312ac4a3bcf9c9b1227a117bb5ea83245e >>> >> https://crt.sh/?spkisha256=0a7b4ca246d82b7b1abe7192be4960a1b9d236f59d056dae3c98bd9c147262f9 >>> >> https://crt.sh/?spkisha256=b4a95d9b6d13a38c5e1c5002c69084f4de054e9dc2139afb5fa2454b8042147a >>> >> https://crt.sh/?q=59:A2:F6:05:11:57:A4:11:03:2E:39:45:2B:35:BF:01:E0:04:03:9E:C4:BA:EE:DE:1A:F8:BE:18:B2:4A:85:25 >>> >> https://crt.sh/?spkisha256=6e9bc0bd50ea63c19a0e9f04dea75bcca4f18306fea65859cc0676bfeeed87d5 >>> >> https://crt.sh/?spkisha256=45ebf9d2308a2b156e50ec13b0a27abc22124d4c167df730dc871773cdbfe66f >>> >> https://crt.sh/?spkisha256=f0a48dd187500284ed98bd9293b3821f60efdf704aed5c14b7c366fc6a02aad9 >>> >> https://crt.sh/?spkisha256=07d669c4c024b6e5e1ab0d47e3af705764adb8066ab797ed9be6d690086f0772 >>> >> https://crt.sh/?spkisha256=22f6b4e6f9e06687c9df8c9cf4715e7fc58cdf7163d404d2362a4288b7c7e975 >>> >> https://crt.sh/?spkisha256=50259dd332075155f9fb4ae2dc23ad193b343941a6efef81d7d2ea2ee1aae1ec >>> >> https://crt.sh/?spkisha256=a1c5cd8e193dffe45230254b62e27f4438414b69b439f835fea54f741c6c6f59 >>> >> https://crt.sh/?spkisha256=e3e5c7ff15cd52ce05902b8ae42ae08c3257457136756c89a35f7ee8554c9e59 >>> >> https://crt.sh/?spkisha256=d1c40311777bdc363fbe01eda747126efd2de188864cdba4ea5c131e1439da6e >>> >> https://crt.sh/?spkisha256=c327dc1213ae46b0d3d716bced1d2dc588508a66ae1f032c685d18c12b5a226f >>> >> https://crt.sh/?spkisha256=fd1eebe89eb69f45a81eb1fb6bf7216365ff1c138eebad311abcad66c1edf3f9 >>> >> https://crt.sh/?spkisha256=1b43aeac546388919f0a08dbbaa76750811d255379b884a19578fd3dc99bf996 >>> >> https://crt.sh/?spkisha256=90a3d4ea7c5d74a0ace3ecf8edec3431c2745763b2b01337002f46807d6481fd >>> >> https://crt.sh/?q=7F:6B:B5:9D:E2:D5:65:AD:AC:CB:C1:CD:3D:13:E7:4A:97:73:48:BA:1D:B0:5F:FE:22:87:88:1F:B4:05:43:F3 >>> >> https://crt.sh/?spkisha256=4064ad789590c24922efb7cd43717894348db4685485105e692de58f85e38a97 >>> >> https://crt.sh/?spkisha256=56eac7e904baab457374d00c70014dc7f7f4f60d1bf11b55f04320a62d58c8fc >>> >> https://crt.sh/?spkisha256=11aebfc94aef03c6bc8a3311a5adc429c7f1b19d6bbaffe32742d37550e193fb >>> >> https://crt.sh/?spkisha256=6cc66786a263aa83ced5b214aeab2b9d5472c6b08ace95cb0523cbbcfff87c0c >>> >> https://crt.sh/?spkisha256=c7fe3681e2204933d79a5a2414dda71c87fed6ca54d0b5b305e6167fdb6ef1ff >>> >> https://crt.sh/?q=F9:7B:90:9C:BF:12:74:9F:98:39:7E:55:02:79:E9:5D:5B:5E:A5:53:1B:D5:95:D2:1E:35:F5:51:DF:E0:F1:14 >>> >> https://crt.sh/?q=7B:EB:60:C1:B3:E0:BA:F2:D3:5B:6D:E1:06:CB:B4:55:EF:5F:74:E6:90:5C:8A:E7:46:C1:BF:86:13:F3:BB:74 >>> >> https://crt.sh/?q=D3:88:8C:46:52:54:68:36:46:C4:51:3A:B7:25:50:C5:EC:14:C4:2C:C7:2F:C8:77:0E:8A:F5:64:1A:19:86:D2 >>> >> https://crt.sh/?q=53:34:B0:28:37:52:69:70:61:E8:43:40:D4:9B:AC:8D:D3:84:00:2C:2A:07:21:6F:64:78:04:66:B8:71:97:6E >>> >> https://crt.sh/?q=7D:F3:B4:61:61:4F:FE:0D:3D:F4:6E:A3:A8:2D:B1:C6:DF:F4:04:81:27:F0:64:12:81:A6:7C:6F:87:B6:67:2D >>> >> https://crt.sh/?q=DF:B0:8B:03:5C:13:A1:62:BE:F5:A6:6E:C4:E0:86:7E:79:89:6B:C1:2F:D2:E0:6A:41:67:6B:85:FC:69:B1:69 >>> >> https://crt.sh/?q=53:75:89:85:87:23:04:4D:DE:DC:D6:DA:52:E3:93:29:29:56:73:29:05:4B:E7:CC:23:BA:AC:06:2B:02:17:23 >>> >> https://crt.sh/?q=A6:89:C5:18:86:1A:7B:4F:22:90:EF:C9:CE:6F:CC:A1:23:24:9E:92:A7:77:0D:7A:80:B7:4B:92:B0:53:FF:B9 >>> >> https://crt.sh/?q=4E:BA:A4:9F:9A:87:7D:40:16:84:99:53:6A:EF:67:92:E2:E3:36:18:96:91:C0:F4:6E:3B:3F:36:27:19:D8:73 >>> >> https://crt.sh/?spkisha256=447abdbf6fa23f5ec547db36d27759f6df2daea959eac109389e495041a550f7 >>> >> https://crt.sh/?spkisha256=8e603d56870cd0d284501138eaa8822442b7e2c8791cb49092666b0b960cf899 >>> >> https://crt.sh/?spkisha256=2790448e54f746e813ec7991373bf07f31284c01e69c21d8d8dfbb22f7873e86 >>> >>> >>> We have notified the respective CAs of the key material compromise for >>> each of the above cases. >>> >>> With each of the above cases, the app author has been given plenty of >>> time to correct their mistake. We have a number of keys where we >>> haven't yet notified the CAs, due to the fact that we turned off >>> app-author notification quite a few months ago. (This project would be >>> a never-ending operation, given the stream of incoming new apps to the >>> Play store that make the same mistake). >>> >>> We plan to re-enable email notifications to app authors in cases where >>> the private keys are used to obtain certificates, as listed on crt.sh. >>> And after some amount of time, we'll notify the CAs to indicate key >>> compromise. The reason for this delay would be to not blind-side site >>> owners. >>> >>> On the other hand, given that the private keys have *already* been >>> compromised (by way of public release), perhaps it doesn't make sense >>> for such an embargo. Thoughts? >> >> -- >> Rob Stradling >> Senior Research & Development Scientist >> Sectigo Limited >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
