On Sat, 21 Mar 2020 19:20:27 +0000 Nick Lamb via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> Rather than mint an RSA key pair and self-signed certificate to > bootstrap each install, they just supply a (presumably randomly > generated) key and certificate right in the install data. FWIW: Given that with the private key it's easily possible to revoke certificates from Let's Encrypt I took the key yesterday and iterated over all of them and called the revoke command of certbot. They were all already revoked except for the latest [1], which was issued on the 20th of march. Now there's this [2] certificate with the same key that apparently got revoked on the 19th. I strongly recommend Let's Encrypt (and probably all other CAs) blacklists that key if they haven't already done so. [1] https://crt.sh/?id=2603336468 [2] https://crt.sh/?id=2574981982 -- Hanno Böck https://hboeck.de/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy