Broken CRL URLs in CCADB

Wed, 19 Apr 2023 11:00:21 -0700 

Hello MDSP community,

I've been attempting to collect a dataset of CRLs by fetching each CRL URL 
present in the "Full CRL Issued By This CA" and "JSON Array of Partitioned 
CRLs" columns of the "all certificate records" CSV report available from 
CCADB[0].

This has uncovered a handful of mis-configurations that I believe should be 
remedied. They fall into three categories of failure:

1) CRL URLs that return a 403 Forbidden response.
2) CRL URLs that return a 404 Not Found response.
3) CRL URLs that return an x509 certificate, not a CRL.

The failures affect four distinct CA owners: Sectigo, GlobalSign nv-sa, 
Entrust, and Autoridad de Certificacion Firmaprofesional.

I'm disappointed that this is still a problem given Andrew Ayer previously 
shared similar results[1] back in September 2022. I would strongly 
encourage affected CAs to invest in monitoring of disclosed CRL URLs so 
that it doesn't fall to broader Mozilla community to do this work on a 
regular basis.

Forbidden responses:

* CA Owner: Sectigo
  * Salesforce Record ID 001o000000poU6CAAU
    * CRL URL: http://crl.nicecert.com/eBizNetworksCodeSigningCA.crl
  * Salesforce Record ID 001o000000piSaqAAE
    * CRL URL: http://crl.nicecert.com/eBizNetworksLASSLCA.crl

Not found responses:

* CA Owner: GlobalSign nv-sa
  * Salesforce Record ID 0014o00001l1GHoAAM
    * CRL URL: http://crl.globalsign.com/ca/gsatlaseccr5ovtlsca202012.crl
  * Salesforce Record ID 0011J00001ha3YgQAI
    * CRL URL: http://crl.globalsign.com/ca/dpdhlusercai5.crl
  * Salesforce Record ID 0014o00001l1GGCAA2
    * CRL URL: http://crl.globalsign.com/ca/gsatlaseccr5dvtlsca202012.crl
* CA Owner: Entrust
   * Salesforce Record ID 001o000000p2VbmAAE
    * CRL URL: http://crl.entrust.net/class1.crl

Not a CRL responses:

* CA Owner: Autoridad de Certificacion Firmaprofesional
  * Salesforce Record ID 0018Z00002nth12QAA
    * CRL URL: http://crl.firmaprofesional.com/ica-a01-qwac.crt
  * Salesforce Record ID 0018Z00002nth2KQAQ
    * CRL URL: http://crl.firmaprofesional.com/ica-a02-noqwac.crt

Thanks,

- Daniel (@cpu)

[0]: 
https://ccadb-public.secure.force.com/ccadb/AllCertificateRecordsCSVFormat
[1]: 
https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/Wm9Sf1AEbig/m/ANbMpBVFBwAJ

-- 
You received this message because you are subscribed to the Google Groups 
"dev-security-policy@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to dev-security-policy+unsubscr...@mozilla.org.
To view this discussion on the web visit 
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c3632294-646c-4fa4-bc98-e45feedd71ddn%40mozilla.org.

Reply via email to