Re: Certificates with invalid "double dot" dnsNames issued from Comodo intermediates
On 18/07/2017 16:44, Rob Stradling wrote: On 18/07/17 15:31, Jakob Bohm via dev-security-policy wrote: On 18/07/2017 16:19, Rob Stradling wrote: On 17/07/17 16:14, Jonathan Rudenberg via dev-security-policy wrote: This certificate, issued by “Intesa Sanpaolo CA Servizi Esterni Enhanced” which chains up to a Baltimore CyberTrust root, contains an invalid dnsName of “www.intesasanpaolovita..biz” (note the two dots): https://crt.sh/?q=2B95B474A2646CA28DC244F1AE829C850EA41CF64C75E11A94FE8D228735977B&opt=cablint,x509lint This raises some questions about the technical controls in place for issuance from this CA. Yesterday evening Jonathan privately made me aware of a leaf certificate (https://crt.sh/?id=73190674) with two SAN:dNSNames that contain consecutive dots, which was issued by a Comodo intermediate. He found this cert using the crt.sh DB's lint records. This morning Robin and I have investigated this bug in our code and we've taken the following actions: - We've deployed a hotfix to our CA system to prevent any further "double dot" mis-issuances. - We've confirmed that the bug only affected labels to the left of the registrable domain. (e.g., dNSNames of the form www..domain.com were not always rejected, but those of the form www.domain..com were always rejected). This doesn't match the one reported by Ben Wilson, which also exhibits various Microsoft related oddities: https://crt.sh/?id=172218371&opt=cablint,x509lint Hi Jakob. Why would you expect it to? Jonathan found certs containing "double dots" in dNSNames in leaf certs that chain to both DigiCert roots and Comodo roots. Note that DigiCert != Comodo. Sorry, I was mislead by the fact that you replied to a thread that only discussed the Baltimore certificates. P.S. I am subscribed to the newsgroup, no need to CC me on replies. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Certificates with invalid "double dot" dnsNames issued from Comodo intermediates
On 18/07/17 15:31, Jakob Bohm via dev-security-policy wrote: On 18/07/2017 16:19, Rob Stradling wrote: On 17/07/17 16:14, Jonathan Rudenberg via dev-security-policy wrote: This certificate, issued by “Intesa Sanpaolo CA Servizi Esterni Enhanced” which chains up to a Baltimore CyberTrust root, contains an invalid dnsName of “www.intesasanpaolovita..biz” (note the two dots): https://crt.sh/?q=2B95B474A2646CA28DC244F1AE829C850EA41CF64C75E11A94FE8D228735977B&opt=cablint,x509lint This raises some questions about the technical controls in place for issuance from this CA. Yesterday evening Jonathan privately made me aware of a leaf certificate (https://crt.sh/?id=73190674) with two SAN:dNSNames that contain consecutive dots, which was issued by a Comodo intermediate. He found this cert using the crt.sh DB's lint records. This morning Robin and I have investigated this bug in our code and we've taken the following actions: - We've deployed a hotfix to our CA system to prevent any further "double dot" mis-issuances. - We've confirmed that the bug only affected labels to the left of the registrable domain. (e.g., dNSNames of the form www..domain.com were not always rejected, but those of the form www.domain..com were always rejected). This doesn't match the one reported by Ben Wilson, which also exhibits various Microsoft related oddities: https://crt.sh/?id=172218371&opt=cablint,x509lint Hi Jakob. Why would you expect it to? Jonathan found certs containing "double dots" in dNSNames in leaf certs that chain to both DigiCert roots and Comodo roots. Note that DigiCert != Comodo. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Certificates with invalid "double dot" dnsNames issued from Comodo intermediates
On 18/07/2017 16:19, Rob Stradling wrote: On 17/07/17 16:14, Jonathan Rudenberg via dev-security-policy wrote: This certificate, issued by “Intesa Sanpaolo CA Servizi Esterni Enhanced” which chains up to a Baltimore CyberTrust root, contains an invalid dnsName of “www.intesasanpaolovita..biz” (note the two dots): https://crt.sh/?q=2B95B474A2646CA28DC244F1AE829C850EA41CF64C75E11A94FE8D228735977B&opt=cablint,x509lint This raises some questions about the technical controls in place for issuance from this CA. Yesterday evening Jonathan privately made me aware of a leaf certificate (https://crt.sh/?id=73190674) with two SAN:dNSNames that contain consecutive dots, which was issued by a Comodo intermediate. He found this cert using the crt.sh DB's lint records. This morning Robin and I have investigated this bug in our code and we've taken the following actions: - We've deployed a hotfix to our CA system to prevent any further "double dot" mis-issuances. - We've confirmed that the bug only affected labels to the left of the registrable domain. (e.g., dNSNames of the form www..domain.com were not always rejected, but those of the form www.domain..com were always rejected). This doesn't match the one reported by Ben Wilson, which also exhibits various Microsoft related oddities: https://crt.sh/?id=172218371&opt=cablint,x509lint - We've performed an exhaustive search of our certificate database and found 2 further unexpired leaf certificates that exhibit this "double dot" problem. I've submitted both of them to some CT logs: https://crt.sh/?id=174668364 https://crt.sh/?id=174668366 We will revoke all 3 of these leaf certificates ASAP. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Certificates with invalid "double dot" dnsNames issued from Comodo intermediates
On 17/07/17 16:14, Jonathan Rudenberg via dev-security-policy wrote: This certificate, issued by “Intesa Sanpaolo CA Servizi Esterni Enhanced” which chains up to a Baltimore CyberTrust root, contains an invalid dnsName of “www.intesasanpaolovita..biz” (note the two dots): https://crt.sh/?q=2B95B474A2646CA28DC244F1AE829C850EA41CF64C75E11A94FE8D228735977B&opt=cablint,x509lint This raises some questions about the technical controls in place for issuance from this CA. Yesterday evening Jonathan privately made me aware of a leaf certificate (https://crt.sh/?id=73190674) with two SAN:dNSNames that contain consecutive dots, which was issued by a Comodo intermediate. He found this cert using the crt.sh DB's lint records. This morning Robin and I have investigated this bug in our code and we've taken the following actions: - We've deployed a hotfix to our CA system to prevent any further "double dot" mis-issuances. - We've confirmed that the bug only affected labels to the left of the registrable domain. (e.g., dNSNames of the form www..domain.com were not always rejected, but those of the form www.domain..com were always rejected). - We've performed an exhaustive search of our certificate database and found 2 further unexpired leaf certificates that exhibit this "double dot" problem. I've submitted both of them to some CT logs: https://crt.sh/?id=174668364 https://crt.sh/?id=174668366 We will revoke all 3 of these leaf certificates ASAP. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
