I've noticed this CA has just been found to have a major vulnerability.
A security researcher discovered the following issues with LiteSSL's ACME
server:
According to his post [1]:
1. Flawed ACME IP throttling policy causes frequent certificate issuance
failures
2. DNS -01 challenge can be exploited to issue wildcard certificates for
arbitrary domains.
The second issue is particularly severe. Reproduction steps:
1. Create a LiteSSL ACME account using your own domain and pass the DNS-01
challenge to request a wildcard certificate
2. View the list of wildcard certificates issued by this CA and select any
one arbitrarily [2].
3. Using your own ACME account, construct an ACME request to apply for a
wildcard certificate for the selected domain [3].
I recommend the following actions:
1. Based on this CA's certificate issuance list, we need to identify which
wildcard certificates have been issued [2].
2. The CA must take action to fix the vulnerability in the ACME server.
3. The CA must submit an incident report. We need to know: When was the
DNS-01 challenge implemented? How did the vulnerability occur? When was the
earliest exploitation of this vulnerability? Which certificates were
erroneously issued?
4. Revoke the erroneously issued wildcard certificates and immediately
notify the owners of these domains.
5. Based on the certificate CA information, this company is a subordinate
CA of TrustAsia. We need to know: Does LiteSSL share infrastructure with
them?
6. This CA must conduct a thorough investigation of its security measures
and provide a report.
[1] Original source: https://archive.ph/u6U2p
[2] Certificate list: https://crt.sh/?CN=%25&iCAID=438132
[3] Certificate issued by the researcher: https://crt.sh/?q=vaadd.com
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2e4fedd3-c449-41f3-bb2a-9165e74fcc7dn%40mozilla.org.
