Hi, I have recently reported a number of certificates with compromised private keys to CAs due to the recent Fortigate incident. In at least two instances, it appears those reports were not being reacted upon due to spam filters either rejecting those reports, or putting those mails into quarantine. (The latter being worse, as it does not even generate an error visible to me as a reporter.)
See also: https://bugzilla.mozilla.org/show_bug.cgi?id=1942241 https://bugzilla.mozilla.org/show_bug.cgi?id=1942877 https://bugzilla.mozilla.org/show_bug.cgi?id=1942879 It would appear this is not the first time something like this happens: https://bugzilla.mozilla.org/show_bug.cgi?id=1886626 In all those instances, it appears CAs were using problem reporting mail addresses hosted at Microsoft's email services. It would appear that Microsoft's spam filter has a tendency to filter mails with attachments containing private keys or certificates. (Not that this makes much sense, at least I am not aware of a tendency of spammers to send private keys or X.509 certificates around.) Obviously, that is far from ideal, as a problem report containing certificates and private keys attached is basically the absolute standard case of certificate problem reporting. I would assume that it is the CAs responsibility to make sure that they can receive such problem reports, and make sure their mail service does not operate spam filters that filter legitimate problem reports. As far as I know, Microsoft is a CA itself, a CA root program operator, and part of the CA/Browser forum. I guess Microsoft representatives are reading this mail. Maybe they want to give helpful advice to their customers in the CA space how they can configure their mail accounts in a way that allows using them as a reliable problem reporting mechanism. -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/ https://badkeys.info/ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20250124095610.0ab20baa%40computer.
