Re: Unrevoked/unexpired certificate with Debian Weak Key
I searched through the list of certificates that Rob provided and didn't find any new issues (no valid certificates and none that had been issues since Jan 1, 2017 and not previously disclosed. I've requested an incident report from QuoVadis for the one new certificate that Hanno identified via https://bugzilla.mozilla.org/show_bug.cgi?id=1472052 - Wayne On Mon, Jun 18, 2018 at 6:57 AM Alex Gaynor via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Sorry -- digging into that 500 was on my plate, but there was a logging bug > on errors... and then some poor docs for the framework I'm using... and > before you know it, the yak stack was piled high. I'll cycle around to that > again this evening. > > Alex > > On Mon, Jun 18, 2018 at 9:53 AM Rob Stradling via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On 17/06/18 21:09, Daniel Cater via dev-security-policy wrote: > > > On Monday, 14 May 2018 15:25:43 UTC+1, Rob Stradling > > >> I'm currently running the check against all of the certs on the crt.sh > > >> DB. I'll report back once this has completed. > > > > > > Hi Rob, > > > > > > Did your checks find anything else in the end? > > > > Hi Daniel. Thanks for the reminder. :-) > > > > I found a total of 1,589 certs on the crt.sh DB with Debian weak keys, > > and I did intend to publish a report. I figured that creating a new > > batch on misissued.com would be the best way to present the data, but > > that gives me an HTTP 500 response whenever I try to submit the list of > > crt.sh IDs. > > > > Until misissued.com lets me submit the list, you can find the list of > > affected certs in a table on the crt.sh DB called "has_debian_weak_key". > > > > -- > > Rob Stradling > > Senior Research & Development Scientist > > Email: r...@comodoca.com > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Unrevoked/unexpired certificate with Debian Weak Key
Sorry -- digging into that 500 was on my plate, but there was a logging bug on errors... and then some poor docs for the framework I'm using... and before you know it, the yak stack was piled high. I'll cycle around to that again this evening. Alex On Mon, Jun 18, 2018 at 9:53 AM Rob Stradling via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 17/06/18 21:09, Daniel Cater via dev-security-policy wrote: > > On Monday, 14 May 2018 15:25:43 UTC+1, Rob Stradling > >> I'm currently running the check against all of the certs on the crt.sh > >> DB. I'll report back once this has completed. > > > > Hi Rob, > > > > Did your checks find anything else in the end? > > Hi Daniel. Thanks for the reminder. :-) > > I found a total of 1,589 certs on the crt.sh DB with Debian weak keys, > and I did intend to publish a report. I figured that creating a new > batch on misissued.com would be the best way to present the data, but > that gives me an HTTP 500 response whenever I try to submit the list of > crt.sh IDs. > > Until misissued.com lets me submit the list, you can find the list of > affected certs in a table on the crt.sh DB called "has_debian_weak_key". > > -- > Rob Stradling > Senior Research & Development Scientist > Email: r...@comodoca.com > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Unrevoked/unexpired certificate with Debian Weak Key
On 17/06/18 21:09, Daniel Cater via dev-security-policy wrote: On Monday, 14 May 2018 15:25:43 UTC+1, Rob Stradling I'm currently running the check against all of the certs on the crt.sh DB. I'll report back once this has completed. Hi Rob, Did your checks find anything else in the end? Hi Daniel. Thanks for the reminder. :-) I found a total of 1,589 certs on the crt.sh DB with Debian weak keys, and I did intend to publish a report. I figured that creating a new batch on misissued.com would be the best way to present the data, but that gives me an HTTP 500 response whenever I try to submit the list of crt.sh IDs. Until misissued.com lets me submit the list, you can find the list of affected certs in a table on the crt.sh DB called "has_debian_weak_key". -- Rob Stradling Senior Research & Development Scientist Email: r...@comodoca.com ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Unrevoked/unexpired certificate with Debian Weak Key
On Monday, 14 May 2018 15:25:43 UTC+1, Rob Stradling > I'm currently running the check against all of the certs on the crt.sh > DB. I'll report back once this has completed. Hi Rob, Did your checks find anything else in the end? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Unrevoked/unexpired certificate with Debian Weak Key
On 14/05/18 11:39, Jakob Bohm via dev-security-policy wrote: On 14/05/2018 10:42, Hanno Böck wrote: Hi, Yesterday was the 10y anniversary of the Debian OpenSSL random number generator bug. A few days ago I did a re-check of the CT logs for vulnerable keys. I found one unexpired, unrevoked certificate issued by a CA called "QuoVadis". I reported it and it's been revoked, they told me they'll check their systems why this certificate issuance wasn't blocked. https://crt.sh/?id=308235142 I also found an unrevoked Wosign cert that I had already reported last year. The abuse contact of wosign bounces mails. (My check was semi-thorough, I didn't have access to all the possible key combinations that could be generated with the Debian bug. There may be more certs in the logs.) You could try the openssl-blacklist package distributed by Debian in both source and prepackaged form. If you use the packaged form, be sure to include the openssl-blacklist-extra package which contains the lists of RSA-4096 and RSA-512 keys. Their included checking program (in the .diff file) is in Python. URL: http://ftp.de.debian.org/debian/pool/main/o/openssl-blacklist/ Today I've added a Debian weak key check feature to crt.sh. I augmented Debian's original blacklists with some other blacklists I generated ~10yrs ago for a few less common key sizes [1]. I'm currently running the check against all of the certs on the crt.sh DB. I'll report back once this has completed. [1] https://secure.comodo.com/debian_weak_keys/ -- Rob Stradling Senior Research & Development Scientist ComodoCA.com ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Unrevoked/unexpired certificate with Debian Weak Key
On 14/05/2018 10:42, Hanno Böck wrote: Hi, Yesterday was the 10y anniversary of the Debian OpenSSL random number generator bug. A few days ago I did a re-check of the CT logs for vulnerable keys. I found one unexpired, unrevoked certificate issued by a CA called "QuoVadis". I reported it and it's been revoked, they told me they'll check their systems why this certificate issuance wasn't blocked. https://crt.sh/?id=308235142 I also found an unrevoked Wosign cert that I had already reported last year. The abuse contact of wosign bounces mails. (My check was semi-thorough, I didn't have access to all the possible key combinations that could be generated with the Debian bug. There may be more certs in the logs.) You could try the openssl-blacklist package distributed by Debian in both source and prepackaged form. If you use the packaged form, be sure to include the openssl-blacklist-extra package which contains the lists of RSA-4096 and RSA-512 keys. Their included checking program (in the .diff file) is in Python. URL: http://ftp.de.debian.org/debian/pool/main/o/openssl-blacklist/ Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Unrevoked/unexpired certificate with Debian Weak Key
Hi, Yesterday was the 10y anniversary of the Debian OpenSSL random number generator bug. A few days ago I did a re-check of the CT logs for vulnerable keys. I found one unexpired, unrevoked certificate issued by a CA called "QuoVadis". I reported it and it's been revoked, they told me they'll check their systems why this certificate issuance wasn't blocked. https://crt.sh/?id=308235142 I also found an unrevoked Wosign cert that I had already reported last year. The abuse contact of wosign bounces mails. (My check was semi-thorough, I didn't have access to all the possible key combinations that could be generated with the Debian bug. There may be more certs in the logs.) -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
