Hi, I was recently sent https://crt.sh/?id=380678631 by Nathanial Lattimer (https://twitter.com/d0nutptr), when he noticed it appeared to contain subject information for a completely different entity (Harman International's domain, Twitter's organizational information). It appears Sectigo made this mistake several times, in https://crt.sh/?id=380583413 and https://crt.sh/?id=369796283 as well.
These certificates expired in 2019 and are thus no longer a problem, but they were actively used by the customer (e.infinityspeakers.com still serves one of them) and it does not appear anyone has noticed. Harman is owned by Samsung and so it is very unlikely these were properly issued. I wanted to highlight this mis-issuance since it seems like a concerning failure case that is different from a simple typo, and may have a more systemic root cause. If there is a bug that is repeatedly causing i.e. the swapping of identity information in certificate requests, it would be pretty concerning. These certificates have been reported to sslab...@sectigo.com as well. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
