On Thursday, May 21, 2020 at 12:33:25 PM UTC+10, Matt Palmer wrote: > On Tue, May 19, 2020 at 07:33:00PM -0700, sandybar497--- via > dev-security-policy wrote: > > Here are the original headers (omitting my email) > > > > *** > > > > MIME-Version: 1.0 > > Date: Thu, 7 May 2020 12:07:07 +0000 > > Message-ID: > > <CANb+OL=25wrEtLMXSgEbv=6eudrhgdugr+fyg5agsugej6o...@mail.gmail.com> > > Subject: Certificate Problem Report - compromised key > > From: sandy <sandy...@gmail.com> > [...] > > https://crt.sh/?spkisha256=e92984ace6f80c75b092df972962f2d3f1365ba08c8bbf9b98cdf3aec20d2d2d > > crt.sh sez: > > Revoked (cessationOfOperation) 2020-05-08 16:55:17 UTC > > Got to say, that definitely does look like over 24 hours from e-mail to > revocation. Unfortunately, because you're using gmail, it's tricky to be > able to demonstrate when GoDaddy *actually* received the e-mail -- I don't > know of a way to get at the MTA logs to show when it was delivered to the > remote MTA. > > I'd be curious to hear from GoDaddy as to why the revocation reason here is > marked as "cessationOfOperation", rather than "keyCompromise". That > seems... fishy. > > > Content-Type: application/octet-stream; > > name="e92984ace6f80c75b092df972962f2d3f1365ba08c8bbf9b98cdf3aec20d2d2d.pem" > > Content-Disposition: attachment; > > filename="e92984ace6f80c75b092df972962f2d3f1365ba08c8bbf9b98cdf3aec20d2d2d.pem" > > Content-Transfer-Encoding: base64 > > X-Attachment-Id: f_k9wq5sjj0 > > Content-ID: <f_k9wq5sjj0> > > Somewhere along the line this got lost. It'd be good to have a copy of it, > for completeness. Since it's in PEM format, you can include it in the body > of an e-mail -- the Mozilla lists are a bit finicky with attachments. > > - Matt
I had received a auto-confirmation email from GoDaddy [donotre...@secureserver.net] just one minute after sending my report, the email reply contained case incident id 41854028. Here is a copy of the evidence of compromise sent along with my report (PEM encoded CSR signed from original private key). -----BEGIN CERTIFICATE REQUEST----- MIICozCCAYsCAQAwXjEYMBYGA1UECgwPQ29tcHJvbWlzZWQgS2V5MUIwQAYDVQQD DDlUaGUga2V5IHRoYXQgc2lnbmVkIHRoaXMgQ1NSIGhhcyBiZWVuIHB1YmxpY2x5 IGRpc2Nsb3NlZC4wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDuGNUD DTHpFfAEJj5h9bDHitmui7uJGaVybhxYzdoEvxzeNAhBESQHMfRGyhr2cvHeWlfX G8j1ZjimEEdzF1E14Jqx6duWYyowe4Crc3lFZduisw149ASzwu4A6CDR00zyeb7L xpnthpvSSGzJ8iMZEEC4odsMxOlO0yoEwd7ketlybn6jLNpUIMii/bolbLvY9bMg 5wPMTVyrhLoum+KP+DSP7TuZx41LAeBjhRaYZAXHtrcQAjKIJ+6YjKv/uYdDREKq dw2accMGrsWcSKM/bKuA+l/8+Pye/aMnSo4b7dNzILWGkJC0Ipdg99bkPtx/bWTX NXZfe+EcsQdJK5rNAgMBAAGgADANBgkqhkiG9w0BAQsFAAOCAQEAKYleYx/U6n2v Xai5ckvujoodT5rrINzjI/wuohioys0M8keN5Iq9zbcfX1orHPBhG8+c1pFTzmjh TNhAyz/aur3LqXJ8wijZIDky27WFvjw98jQB6n6Di+LHWHFbFmwz/mHwGIDDqo7c Oy8yG0gXOPOnMwL7VDctgu7/Kk/JX8mcWLbISyCr2CnljOH4nQOEz3j3+MhLZPg7 NcQSq52oiGCPWAEnQ4aJI7vdhY8TWab82sLDO6qy61wek4hp7z1nVctpJkQvBORi F76ayXlgL4G6oCG12VVloK52Ti8kk15HB6YFhD/1mz0fUyOTe/PzedOBaPhiAvv2 FPDcLgBXlg== -----END CERTIFICATE REQUEST----- Requesting GoDaddy to provide an incident report for this matter. - sandy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy