Hi Hanno,
I have inserted my answers further down in the text --> <-- and hope to
contribute to a better understanding.
Thanks,
Enrico
-----Ursprüngliche Nachricht-----
Von: Hanno Böck <[email protected]>
Gesendet: Friday, February 7, 2025 10:40 AM
An: Entschew, Enrico <[email protected]>
Cc: [email protected]; Amir Omidi (aaomidi) <[email protected]>
Betreff: Re: d-trust data protection incident
Hello,
I would like to ask for some clarification here:
On Tue, 21 Jan 2025 12:47:51 -0800 (PST) Enrico Entschew
<[email protected]> wrote:
> At all times, this incident did not impact our certificate issuance
> infrastructure. The affected data is independent of TLS and/or SMIME
> certificates.
The press release from D-Trust here
https://www.d-trust.net/de/newsroom/news/information-datenschutzvorfall-13-januar-2025
says that the attack only affected https://portal.d-trust.net/
I checked where I would end up when trying to get a TLS certificate from
D-Trust.
I found this page about TLS/SSL certificates:
https://www.d-trust.net/de/loesungen/tls-ssl-zertifikate
When I click on "TLS/SSL-Zertifikat bestellen", I end up at
https://www.d-trust.net/de/bestellen
which gives me two buttons. One is related to E-Health, I would assume that
this is unrelated to TLS certificates. The other one says "Zum D-Trust-Portal",
and if I click on it, I end up at https://portal.d-trust.net/
This would at least strongly imply to me that portal.d-trust.net is the place
where I would get TLS certificates. Therefore, I would expect that
portal.d-trust.net is part of your certificate issuance infrastructure.
Can you clarify?
--> S/MIME and TLS certificates cannot be ordered via the ordering platform
"https://portal.d-trust.net/";. S/MIME and TLS certificates are requested and
provided via the CMP interface, via ACME or via the self-service portal
“Certificate Service Manager” (https://mycsm.d-trust.net). S/MIME and TLS
certificates can only be requested upon an existing contractual relationship
with the applicant – B2B customers are required to identify an employee to be
provided with access to the self-service portal. <--
Furthermore, let me say something else about this incident:
In my opinion, this is a posterchild example of how not to deal with security
issues. The whole wording of the press release - putting scare quotes around
"security researcher", etc. - appears to paint this in a way that makes it
sound like the security researcher is the problem, and not the fact that,
apparently, D-Trust had a very embarassing and easily avoidable security flaw
in their infrastructure.
To put it in other words: If a CA reacted like this to an incident with the
security of their certificate issuance, I think we would be talking about
distrusting that CA.
(And for all the others who may not have followed this incident, it would
appear that an anonymous security researcher found a simple IDOR vulnerability
in D-Trust's infrastructure. The researcher decided to stay anonymous, and has
asked the Chaos Computer Club to relay the
information:
https://www.ccc.de/en/updates/2025/dont-trust
Background here is that there is a very unfortunate legal situation in Germany
that can put well-meaning security researchers at risk, even if they follow
responsible disclosure practices. There was recently a court ruling that
confirmed this, you may want to google for "Modern Solutions" to find more info
on that.)
--> D-Trust is grateful for any information, that helps to improve our products
and services. Therefore D-Trust offers a special contact at
https://report.whistleb.com/en/bundesdruckerei. This ensures anonymous
communication in terms of responsible disclosure practices. In the subject case
D-Trust was not contacted here.
We regret the way this case was not disclosed to us at all instead, as we were
forced to react accordingly to standard procedures and with all available legal
measures in such cases. After discovering the incident by D-Trust itself,
D-Trust immediately informed the public as well as affected persons and
initiated legal action against persons unknown. The use of our whistleblowing
tool or any other communicative action of responsible disclosure to D-Trust
immediately after the security researchers discovery would have likely given us
the possibility to react in a different way.
For press inquiries we also offer a respective address: [email protected] <--
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/1102651578.4414.1739360263357%40progov-n2.bs.prod.int.bln.d-trust.de.
--- Begin Message ---
Hi Hanno,
I have inserted my answers further down in the text --> <-- and hope to
contribute to a better understanding.
Thanks,
Enrico
-----Ursprüngliche Nachricht-----
Von: Hanno Böck <[email protected]>
Gesendet: Friday, February 7, 2025 10:40 AM
An: Entschew, Enrico <[email protected]>
Cc: [email protected]; Amir Omidi (aaomidi) <[email protected]>
Betreff: Re: d-trust data protection incident
Hello,
I would like to ask for some clarification here:
On Tue, 21 Jan 2025 12:47:51 -0800 (PST) Enrico Entschew
<[email protected]> wrote:
> At all times, this incident did not impact our certificate issuance
> infrastructure. The affected data is independent of TLS and/or SMIME
> certificates.
The press release from D-Trust here
https://www.d-trust.net/de/newsroom/news/information-datenschutzvorfall-13-januar-2025
says that the attack only affected https://portal.d-trust.net/
I checked where I would end up when trying to get a TLS certificate from
D-Trust.
I found this page about TLS/SSL certificates:
https://www.d-trust.net/de/loesungen/tls-ssl-zertifikate
When I click on "TLS/SSL-Zertifikat bestellen", I end up at
https://www.d-trust.net/de/bestellen
which gives me two buttons. One is related to E-Health, I would assume that
this is unrelated to TLS certificates. The other one says "Zum D-Trust-Portal",
and if I click on it, I end up at https://portal.d-trust.net/
This would at least strongly imply to me that portal.d-trust.net is the place
where I would get TLS certificates. Therefore, I would expect that
portal.d-trust.net is part of your certificate issuance infrastructure.
Can you clarify?
--> S/MIME and TLS certificates cannot be ordered via the ordering platform
"https://portal.d-trust.net/";. S/MIME and TLS certificates are requested and
provided via the CMP interface, via ACME or via the self-service portal
“Certificate Service Manager” (https://mycsm.d-trust.net). S/MIME and TLS
certificates can only be requested upon an existing contractual relationship
with the applicant – B2B customers are required to identify an employee to be
provided with access to the self-service portal. <--
Furthermore, let me say something else about this incident:
In my opinion, this is a posterchild example of how not to deal with security
issues. The whole wording of the press release - putting scare quotes around
"security researcher", etc. - appears to paint this in a way that makes it
sound like the security researcher is the problem, and not the fact that,
apparently, D-Trust had a very embarassing and easily avoidable security flaw
in their infrastructure.
To put it in other words: If a CA reacted like this to an incident with the
security of their certificate issuance, I think we would be talking about
distrusting that CA.
(And for all the others who may not have followed this incident, it would
appear that an anonymous security researcher found a simple IDOR vulnerability
in D-Trust's infrastructure. The researcher decided to stay anonymous, and has
asked the Chaos Computer Club to relay the
information:
https://www.ccc.de/en/updates/2025/dont-trust
Background here is that there is a very unfortunate legal situation in Germany
that can put well-meaning security researchers at risk, even if they follow
responsible disclosure practices. There was recently a court ruling that
confirmed this, you may want to google for "Modern Solutions" to find more info
on that.)
--> D-Trust is grateful for any information, that helps to improve our products
and services. Therefore D-Trust offers a special contact at
https://report.whistleb.com/en/bundesdruckerei. This ensures anonymous
communication in terms of responsible disclosure practices. In the subject case
D-Trust was not contacted here.
We regret the way this case was not disclosed to us at all instead, as we were
forced to react accordingly to standard procedures and with all available legal
measures in such cases. After discovering the incident by D-Trust itself,
D-Trust immediately informed the public as well as affected persons and
initiated legal action against persons unknown. The use of our whistleblowing
tool or any other communicative action of responsible disclosure to D-Trust
immediately after the security researchers discovery would have likely given us
the possibility to react in a different way.
For press inquiries we also offer a respective address: [email protected] <--
smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
