Hello, I would like to ask for some clarification here:
On Tue, 21 Jan 2025 12:47:51 -0800 (PST) Enrico Entschew <[email protected]> wrote: > At all times, this incident did not impact our certificate issuance > infrastructure. The affected data is independent of TLS and/or SMIME > certificates. The press release from D-Trust here https://www.d-trust.net/de/newsroom/news/information-datenschutzvorfall-13-januar-2025 says that the attack only affected https://portal.d-trust.net/ I checked where I would end up when trying to get a TLS certificate from D-Trust. I found this page about TLS/SSL certificates: https://www.d-trust.net/de/loesungen/tls-ssl-zertifikate When I click on "TLS/SSL-Zertifikat bestellen", I end up at https://www.d-trust.net/de/bestellen which gives me two buttons. One is related to E-Health, I would assume that this is unrelated to TLS certificates. The other one says "Zum D-Trust-Portal", and if I click on it, I end up at https://portal.d-trust.net/ This would at least strongly imply to me that portal.d-trust.net is the place where I would get TLS certificates. Therefore, I would expect that portal.d-trust.net is part of your certificate issuance infrastructure. Can you clarify? Furthermore, let me say something else about this incident: In my opinion, this is a posterchild example of how not to deal with security issues. The whole wording of the press release - putting scare quotes around "security researcher", etc. - appears to paint this in a way that makes it sound like the security researcher is the problem, and not the fact that, apparently, D-Trust had a very embarassing and easily avoidable security flaw in their infrastructure. To put it in other words: If a CA reacted like this to an incident with the security of their certificate issuance, I think we would be talking about distrusting that CA. (And for all the others who may not have followed this incident, it would appear that an anonymous security researcher found a simple IDOR vulnerability in D-Trust's infrastructure. The researcher decided to stay anonymous, and has asked the Chaos Computer Club to relay the information: https://www.ccc.de/en/updates/2025/dont-trust Background here is that there is a very unfortunate legal situation in Germany that can put well-meaning security researchers at risk, even if they follow responsible disclosure practices. There was recently a court ruling that confirmed this, you may want to google for "Modern Solutions" to find more info on that.) -- Hanno Böck - Independent security researcher https://itsec.hboeck.de/ https://badkeys.info/ -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20250207104018.26191385%40computer.
