On Sat, 21 Mar 2020 13:40:21 +1100 Matt Palmer via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Oh the facepalm, it burns (probably too much hand sanitizer)... let > me try that again. Use soap and water where practical. And, as the BBC Comedy TV show "That Mitchell & Webb Look" put it many years ago "Remain indoors". > There's also this one, which is another reuse-after-revocation, but > the prior history of this key suggests that there's something *far* > more interesting going on, given the variety of CAs and domain names > it has been used for (and its current residence, on a Taiwanese > traffic stats server): > > > https://crt.sh/?spkisha256=69fc5edbd904577629121b09c49b711e201c46213e5b175bbee08a4d1d30b3c7 > > If anyone figures out the story with that last key, I'd be most > pleased to hear about it. Sure. This requires a small degree of insight into how little ordinary people (even say IT people) understand about public key cryptography. These servers are running PRTG - a network monitoring tool from an outfit named Paessler. The software offers a web interface with SSL. PRTG is supplied as Windows software, and I have just installed it on my games PC (hopefully uninstalling it will be easy because this is no time to go out shopping for a PC) to verify the following: Rather than mint an RSA key pair and self-signed certificate to bootstrap each install, they just supply a (presumably randomly generated) key and certificate right in the install data. They don't have one of those (often rather archaic but functional) UIs where it mints new RSA keys and gives you a CSR for them. Instead it offers either a tool that will convert keys and certificates and install them, or you can just paste the files into the right place and restart the software. Now, for you or me the provided default RSA key is obviously no use and you'd mint your own with your preferred tools before requesting a publicly trusted certificate or indeed using your own in-house CA. But if you don't know much about this stuff and you find there's a perfectly nice RSA key supplied with the software it seems natural to use it. Whereupon of course now your "real" publicly trusted certificate is for a key which in reality is available to anybody with the insight to guess which software you're using. Oops. Here's their demo certificate, the associated Private Key is freely available to download as part of their software, but there's no need for me to paste it here. -----BEGIN CERTIFICATE----- MIIDpjCCAo6gAwIBAgIJAMM2JGwQ4/iqMA0GCSqGSIb3DQEBBQUAMEAxHjAcBgNV BAoTFVBSVEcgRGVtbyBDZXJ0aWZpY2F0ZTEeMBwGA1UEAxMVUFJURyBEZW1vIENl cnRpZmljYXRlMB4XDTEzMDcwODExMTUwNVoXDTIzMDcwNjExMTUwNVowQDEeMBwG A1UEChMVUFJURyBEZW1vIENlcnRpZmljYXRlMR4wHAYDVQQDExVQUlRHIERlbW8g Q2VydGlmaWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsR6TJ IF2cRzoUfElst4CxY3q6vnWzZ0U0wrO6pdrVbrWqVcmofC9bxiLpW8AtlsQ0cVAQ r64juKbivQV6ggpIrFpYE505VDbu6tvqYR8nY2wtNJZNwKhT0hpBNmgujceaDc/q ghTIzaZGbtzas7HX1g8bBs81mw0TUI+IJNDAz+tbQM0NPxl/BY0LSuRX7ApUp/jn veUWXzpBb8BbCriQXPeykQuVXF2oWZ4d5B6X8mxl4GhzjmoQsTr0xGi0pWz1Tc0h Wkcd0hU633Hw1tjL82j8x5uEwy/nrb3ShMOzKtVpsoFA0TBc5BaIgbQvJpBk0Qd6 cfCxnLPjZQj4+AcFAgMBAAGjgaIwgZ8wHQYDVR0OBBYEFO6ncMKuxL4p7cwozSn1 USIYzEK5MHAGA1UdIwRpMGeAFO6ncMKuxL4p7cwozSn1USIYzEK5oUSkQjBAMR4w HAYDVQQKExVQUlRHIERlbW8gQ2VydGlmaWNhdGUxHjAcBgNVBAMTFVBSVEcgRGVt byBDZXJ0aWZpY2F0ZYIJAMM2JGwQ4/iqMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN AQEFBQADggEBAKm6SueZqG7mVSyls2D/kFPoxsh1inctOeQPHbwMAVMCD68KGlJh kSicHq7bISy0aSioGRZe6rS12bcYRkqtgg0DjQ+ZmtHPBJTgrXIqZW0jHuqN6vyS d4IDCNQGrQQgQ+uC6V71EDcM6WDULuDygqdvM2D1gc8u2di8Rp3MpKfHAi8n0yRu 00B+01aqce/EA0b0dBPeJciKfB1cAU3CEGoLNVS/F8skumn7Q/kWwbuyjz0Nb66m 3WJOu1yAXPalEdRHQIiXEbnJgT5YrNU1R74CSdOATSKjk6kkWromGH63onF8wSS0 hh/btapuzGY6VPSscqMh3k9ji0+sPdxy3+U= -----END CERTIFICATE----- Nick. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
