A certificate with a publicly-disclosed private key was reported to GlobalSign for revocation within the BR-mandated 24 hour period, however the revocation took place over 46 hours after the report was sent. Several requests for information I had already provided were made by GlobalSign, however the revocation eventually took place without any further information being required. Communication from GlobalSign then appeared to suggest that the certificate had "already" been revoked, despite timestamps in the CRL indicating otherwise.
I believe an incident report for this event is warranted, given that GlobalSign was provided with sufficient information to revoke the certificate in the initial problem report (based on the fact that revocation eventually took place with no further information being provided by myself), but failed to do so within the BR-mandated time period. Excuciatingly detailed timeline follows. 2020-03-06 21:48:53Z E-mail sent to report-ab...@globalsign.com: -----8<----- Date: Sat, 7 Mar 2020 08:48:53 +1100 From: Matt Palmer <mpal...@hezmatt.org> To: report-ab...@globalsign.com Subject: Problem Report for certificate(s) with compromised private key One or more certificates issued by your CA are using a private key which has been publicly disclosed. The list of affected certificates can be retrieved from https://crt.sh/?spkisha256=6a02703a7a2ba3f368a2915305383549cf8ada8262422697d62d5ba410e4d93f Included below is a CSR, signed by the compromised private key, demonstrating proof of possession: -----BEGIN CERTIFICATE REQUEST----- MIIE0TCCArkCAQAwgYsxaTBnBgNVBAMMYFRoZSBrZXkgdGhhdCBzaWduZWQgdGhp cyBDU1IgaGFzIGJlZW4gcHVibGljbHkgZGlzY2xvc2VkLiBJdCBzaG91bGQgbm90 IGJlIHVzZWQgZm9yIGFueSBwdXJwb3NlLjEeMBwGA1UECgwVaHR0cHM6Ly9wd25l ZGtleXMuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA2OMM6yti 3q+GhnZsMPYrACVrZWYqn2yz2fH5J6kPONDvHm3P4UgPJb5j0OFUbmng3e41FwWf QhD7UFbiEtH/fCJLnxuhAlCBZkVTwIBIwIYRpBmSp/shtNBJZvHBPgktF78qQBr5 HaX9jZOl/z0rLVw42wnzHlMyyeJNCQzBgRqA+Lcgig/9I2qxQvm3C53868i0EE3k B418D63cEhz6hldoxELt7twoYulwyLk/PXWj/I0qHQZGT1weLD6UXINuxhmcFUDj 4i5V9UqNWhP4LT/QWjNtqE5y1OOT5qtkczjmSd3TS3GCik3o7v2M7JxwME1T/e/z unTqhCarZF3HkrN5MxDB/28HsPaSRUpbxzmIUt+GApuVjNWnRW0awlzp8i5wQnmo x7nNtSSht44DhlWETpPeT3n27LKM64no97aN0NS0LEKc5sFuOcS5sCj5FvsxNm/8 RhqfQkHXjkhZByTPhYvkQZTTA8Gxsh52Pnr0aTKrNz/fNpcJWzlKvbSmQn7i1Nmn z6f9cTB3gW9+DjgSq/XjgVZJdGAWD9k5/i+v8b0zSbpprGNh2gkn39QYmWLlS2eu XhtAhdWAroEBxm5pLA3T50KWcfM1IHsZSHIeneIcR3anUhqnA1vMjZdFdFkX+TCE n/c6cotq/fESE+ieMdc7NjpTn4w2a+10xHECAwEAAaAAMA0GCSqGSIb3DQEBCwUA A4ICAQCnPqJFlaTaNTz0ldS+PepRa8cpf4DXJ/shKBf8ChJ7ivY8+Q6qQWLU4WTM DSChT+5K2Zlr5LRoIBeTsgyl3345agsPI8BKjw1OpRlxgVsMKlKOd6nCSJPw2NDl +Ud+s/LbnZJsIn9nb4fQdF+mC4L6Q1GikCkTfQ1SD8RykVgwojiQFwsdaNRy1U2z uw3QtlYXZ1s/zdgEITBB4x5js1r8+njue3X4hbgmTrnppEpxeaiuKIImLxFCOveo pv6evi9g8mYCZ2hqvLO2RTO3iTSvbDAgbImr6D0Asem1qdCdNPbhiGXj/kxJNNUQ P5hb1KmbcdCLIjvMz0+Z6TkIW0q4MowUpUeKx8Y18Pjt9D+nLN9sRLi8vfjvlnt4 eLENX2156CWMmJQg4n16UjYKaf6dSCvWJYC2TzYJzs+ZEKU71LCkUl/hdj7ZNLtZ o3Z3C892nPZ56LdJES2wBMFgfMV5EWo4MrriFO7yhpkVp3NlOWkWVjIuTPDsm0gK fLVgHQPfgpVR6LT/e2HWISdiogUrACsVFrb5vfehXY2PAewPghkD5Cn3LG6hnXYn hmjgXDwz2dK5ud3ABJT1UxJtn82o3z3okUDISdeioxw43HBhCQ84p3G+JoRq9x6+ 2ncweNmCQQ66tsX386ywKpPQJ4/1DrRsOKdSSy7siwwtR437Rg== -----END CERTIFICATE REQUEST----- Please revoke all affected certificates within 24 hours, as per the Baseline Requirements. - Matt ----->8----- 2020-03-06 21:49:04Z E-mail is accepted for delivery by a GlobalSign MX: -----8<----- Mar 6 21:49:04 minotaur postfix/smtp[26026]: 75BC71857EE: to=<report-ab...@globalsign.com>, relay=globalsign-com.mail.protection.outlook.com[104.47.93.36]:25, delay=6.8, delays=0.47/0.01/0.9/5.4, dsn=2.6.0, status=sent (250 2.6.0 <20200306214853.kpohtnh5y2m3k...@hezmatt.org> [InternalId=34857954577034, Hostname=HK0PR03MB2755.apcprd03.prod.outlook.com] 10967 bytes in 3.479, 3.078 KB/sec Queued mail for delivery) ----->8----- 2020-03-06 21:49:15Z Auto-ack e-mail received from GlobalSign: -----8<----- Dear Matt Palmer, Thank you for reporting this issue to GlobalSign. Case #04076325: "Problem Report for certificate(s) with compromised private key" has been created and a GlobalSign representative will investigate this immediately. If requested you will receive a response from a designated representative as soon as possible. Thank you, Customer Service Team GlobalSign ----->8----- 2020-03-06 22:08:06Z Human response from GlobalSign: -----8<----- Hello, Thank you for contacting GlobalSign. We have received your report of certificate abuse. GlobalSign takes these accusations very seriously. We will be opening an investigation and will keep you updated on any advances we make. Sincerely, Akshit Bhambota GlobalSign Support Team ----->8----- 2020-03-06 22:21:22Z A rather odd form-looking e-mail is sent from GlobalSign: -----8<----- Hello, Thank you for submitting your report regarding the suspected fraudulent activity or misuse of a GlobalSign certificate. In furtherance of this, we will require additional information to help us investigate further. Order ID: ___________________________ Serial # : ____________________________ Domain/Common Name: __________________________ GlobalSign takes these accusations very seriously and if the use of a certificate is deemed to be in violation of our policies, we have the right to revoke the certificate under the terms of our Subscriber Agreement. GlobalSign may revoke the certificate if no action is taken by the certificate owner. If you have any questions about this report, please contact our support team anytime by responding to this email, live chat at www.globalsign.com(live chat button) or reach us to any of the numbers from this page https://www.globalsign.com/en/company/contact/ We will keep you posted for updates. Sincerely, GlobalSign Support Team ref:_00D20BO9n._5003Y1quzXh:ref ----->8----- How exactly I'm supposed to know the Order ID of the certificate to be revoked is quite beyond me, while the serial number and domain name(s) of the certificate in question were available from the crt.sh link I provided in my initial e-mail. 2020-03-06 22:59:58Z Another form-looking e-mail is sent from GlobalSign: -----8<----- Hello, Thank you for submitting your report regarding the suspected fraudulent activity or misuse of a GlobalSign certificate. In furtherance of this, we will require additional information to help us investigate further. If you can provide me location of the private key or the link that would be great. Order ID: ___________________________ Serial # : ____________________________ Domain/Common Name: __________________________ GlobalSign takes these accusations very seriously and if the use of a certificate is deemed to be in violation of our policies, we have the right to revoke the certificate under the terms of our Subscriber Agreement. GlobalSign may revoke the certificate if no action is taken by the certificate owner. If you have any questions about this report, please contact our support team anytime by responding to this email, live chat at www.globalsign.com(live chat button) or reach us to any of the numbers from this page https://www.globalsign.com/en/company/contact/ We will keep you posted for updates. Sincerely, GlobalSign Support Team --------------- Original Message --------------- From: Report - Abuse [report-ab...@globalsign.com] Sent: 3/7/2020 3:51 AM To: mpal...@hezmatt.org Subject: Problem Report for certificate(s) with compromised private key [ ] Hello, Thank you for submitting your report regarding the suspected fraudulent activity or misuse of a GlobalSign certificate. In furtherance of this, we will require additional information to help us investigate further. Order ID: ___________________________ Serial # : ____________________________ Domain/Common Name: __________________________ GlobalSign takes these accusations very seriously and if the use of a certificate is deemed to be in violation of our policies, we have the right to revoke the certificate under the terms of our Subscriber Agreement. GlobalSign may revoke the certificate if no action is taken by the certificate owner. If you have any questions about this report, please contact our support team anytime by responding to this email, live chat at www.globalsign.com(live chat button) or reach us to any of the numbers from this page https://www.globalsign.com/en/company/contact/ We will keep you posted for updates. Sincerely, GlobalSign Support Team ref:_00D20BO9n._5003Y1quzXh:ref ----->8----- Yes, GlobalSign quoted their own e-mail to send more-or-less the same request for information already provided and/or unknowable by me, except this time with an additional invitation to submit a private key over unsecured e-mail. 2020-03-07 14:26:28Z Yet another form-looking e-mail from GlobalSign: -----8<----- Hello, This is the follow up email for case you created with GlobalSign Please reply us so we can investigate as soon as possible. Thank you for submitting your report regarding the suspected fraudulent activity or misuse of a GlobalSign certificate. In furtherance of this, we will require additional information to help us investigate further. If you can provide us location of the private key or the link from where you download the private key would be great. Order ID: ___________________________ Serial # : ____________________________ Domain/Common Name: __________________________ GlobalSign takes these accusations very seriously and if the use of a certificate is deemed to be in violation of our policies, we have the right to revoke the certificate under the terms of our Subscriber Agreement. GlobalSign may revoke the certificate if no action is taken by the certificate owner. If you have any questions about this report, please contact our support team anytime by responding to this email, live chat at www.globalsign.com(live chat button) or reach us to any of the numbers from this page https://www.globalsign.com/en/company/contact/ We will keep you posted for updates. Sincerely, GlobalSign Support Team --------------- Original Message --------------- From: Report - Abuse [report-ab...@globalsign.com] Sent: 3/7/2020 4:29 AM To: mpal...@hezmatt.org Subject: RE: Problem Report for certificate(s) with compromised private key [ ref:_00D20BO9n._5003Y1quzXh: [ ] Hello, Thank you for submitting your report regarding the suspected fraudulent activity or misuse of a GlobalSign certificate. In furtherance of this, we will require additional information to help us investigate further. If you can provide me location of the private key or the link that would be great. Order ID: ___________________________ Serial # : ____________________________ Domain/Common Name: __________________________ GlobalSign takes these accusations very seriously and if the use of a certificate is deemed to be in violation of our policies, we have the right to revoke the certificate under the terms of our Subscriber Agreement. GlobalSign may revoke the certificate if no action is taken by the certificate owner. If you have any questions about this report, please contact our support team anytime by responding to this email, live chat at www.globalsign.com(live chat button) or reach us to any of the numbers from this page https://www.globalsign.com/en/company/contact/ We will keep you posted for updates. Sincerely, GlobalSign Support Team --------------- Original Message --------------- From: Report - Abuse [report-ab...@globalsign.com] Sent: 3/7/2020 3:51 AM To: mpal...@hezmatt.org Subject: Problem Report for certificate(s) with compromised private key [ ] Hello, Thank you for submitting your report regarding the suspected fraudulent activity or misuse of a GlobalSign certificate. In furtherance of this, we will require additional information to help us investigate further. Order ID: ___________________________ Serial # : ____________________________ Domain/Common Name: __________________________ GlobalSign takes these accusations very seriously and if the use of a certificate is deemed to be in violation of our policies, we have the right to revoke the certificate under the terms of our Subscriber Agreement. GlobalSign may revoke the certificate if no action is taken by the certificate owner. If you have any questions about this report, please contact our support team anytime by responding to this email, live chat at www.globalsign.com(live chat button) or reach us to any of the numbers from this page https://www.globalsign.com/en/company/contact/ We will keep you posted for updates. Sincerely, GlobalSign Support Team ref:_00D20BO9n._5003Y1quzXh:ref ----->8----- As far as I can tell, this was practically the same request as they had sent previously, just worded slightly differently. 2020-03-08 00:42:05Z I notice the interesting stream of e-mails from GlobalSign that had arrived, and reply to the last of them as follows: -----8<----- Date: Sun, 8 Mar 2020 11:42:05 +1100 From: "mpal...@hezmatt.org" <mpal...@hezmatt.org> To: Report - Abuse <report-ab...@globalsign.com> Subject: Re: Problem Report for certificate(s) with compromised private key [ ref:_00D20BO9n._5003Y1quzXh: [ ref:_00D20BO9n._5003Y1quzXh:ref ] The information you seek can be found from the crt.sh link I provided in the original report. - Matt [Quoted e-mails from GlobalSign elided] ----->8----- 2020-03-08 20:12:32Z Certificate is revoked by GlobalSign. (timestamp taken from the CRL revocation date on https://crt.sh/?id=2522275549) 2020-03-09 11:03:28Z E-mail received from GlobalSign: -----8<----- Hello Matt, GlobalSign has received a report of abuse linked to certificate with common name www.lunarisecraft.ru. This is to inform you that the said certificate has already been revoked from our records. If you have any questions concerning this report, please contact our report abuse team anytime by responding to this email or emailing us directly at report-ab...@globalsign.com. Sincerely, GlobalSign Support Team ----->8----- Time from initial report sent (2020-03-06 21:48:53Z) to the revocation timestamp published in a CRL (2020-03-08 20:12:32Z): 46h 23m 32s - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
