Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

I updated https://bugzilla.mozilla.org/show_bug.cgi?id=1299579#c9 with: "" ... here is the approach that we plan to take: We will add the "Hongkong Post e-Cert CA 1 - 10" intermediate cert to OneCRL at the end of October. Please replace all of the SSL certs chaining up to this intermediate cert

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On Thu, Sep 01, 2016 at 07:48:23PM +0800, Man Ho (Certizen) wrote: > > On 9/1/2016 6:13 PM, Matt Palmer wrote: > > You might want to let them know it's time to get new certs. > > > > - Matt > We did inform all subscribers back in October 2014 that SHA-1 SSL server > cert was CEASED since 1

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On Thursday, 1 September 2016 12:48:34 UTC+1, Man Ho (Certizen) wrote: > We did inform all subscribers back in October 2014 that SHA-1 SSL server > cert was CEASED since 1 January 2016, and reminded each of them > individually that SHA-1 SSL server cert will no longer be trusted by > browsers

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On 9/1/2016 6:13 PM, Matt Palmer wrote: > You might want to let them know it's time to get new certs. > > - Matt We did inform all subscribers back in October 2014 that SHA-1 SSL server cert was CEASED since 1 January 2016, and reminded each of them individually that SHA-1 SSL server cert will no

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On Thu, Sep 01, 2016 at 10:14:01AM +0800, Man Ho (Certizen) wrote: > What about our existing SSL server certs, which are still valid until 31 > Dec 2016? Majority of those cert. subscribers are offering government > and public services to residents of Hong Kong. You might want to let them know

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On 9/1/2016 3:52 AM, Nick Lamb wrote: > It may make sense to explicitly tell Hongkong Post that it must not do > anything which would have the effect of subverting/ undoing this change. For > example, if Hongkong Post wants to create a new certificate for the > intermediate "Hongkong Post

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

What about our existing SSL server certs, which are still valid until 31 Dec 2016? Majority of those cert. subscribers are offering government and public services to residents of Hong Kong. And I believe the impact to residents of Hong Kong will be huge when the browser suddenly prompt a warning

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On Wednesday, 31 August 2016 19:32:43 UTC+1, Kathleen Wilson wrote: > Thanks to all of you who have provided thoughtful and constructive input into > this discussion. > > I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1299579 to request > that the "Hongkong Post e-Cert CA 1 - 10"

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

Thanks to all of you who have provided thoughtful and constructive input into this discussion. I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1299579 to request that the "Hongkong Post e-Cert CA 1 - 10" intermediate cert be added to OneCRL. See the bug for further details. Kathleen

RE: Hongkong Post recently issued SHA1 cert that could be used in TLS

I checked the certificate that it is a client certificate issued the personal -- PANG Ming Sum: CN = PANG Ming Sum E = todd.p...@autotoll.com.hk OU = AUTOTOLL LIMITED OU = 21506338215100635386 OU = 0001890584 O = Hongkong Post e-Cert (Organisational) C = HK The problem is this certificate

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On Wed, 17 Aug 2016 11:43:45 -0700 (PDT) cspann...@gmail.com wrote: > On Wednesday, August 17, 2016 at 10:31:29 AM UTC-7, Andrew Ayer wrote: > > The attacker has to be able to control (or predict) the prefix of > > the data signed by the CA (which in the case of a TBSCertificate, > > includes the

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On Wed, 17 Aug 2016 19:08:08 +0200 Kurt Roeckx wrote: > On Wed, Aug 17, 2016 at 09:55:24AM -0700, Ryan Sleevi wrote: > > > I don't think adding that CA certificate to OneCRL is enough, > > > that would only protect Mozilla users. They should revoke all > > > the relevant

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On Wed, Aug 17, 2016 at 09:55:24AM -0700, Ryan Sleevi wrote: > > I don't think adding that CA certificate to OneCRL is enough, that would > > only protect Mozilla users. They should revoke all the relevant > > certificates. > > Define "relevant"? If a SHA-1 collision has been mounted, Hongkong

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On Wednesday, August 17, 2016 at 2:53:38 AM UTC-7, ma...@certizen.com wrote: > Through our effort of sunsetting the "Hongkong Post e-Cert CA 1 - 10" for SSL > certificate, majority of SHA-1 SSL certificates will be expired by 31 Dec > 2016, remaining only a few SHA-1 SSL certificates that are

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On Wednesday, 17 August 2016 04:24:27 UTC+1, Ryan Sleevi wrote: > That options pretty much a non-starter for reasons best not speculated about, > but I'm curious: Why or how would that improve the security of Mozilla users? > And if it doesn't meaningfully improve their security, how would it

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On Wednesday, August 17, 2016 at 3:02:26 PM UTC+8, Matt Palmer wrote: > On Tue, Aug 16, 2016 at 10:22:36PM -0700, ma...@certizen.com wrote: > > and have been issuing SHA-256 SSL certificates under "Hongkong Post e-Cert > > CA 1- 14" and "Hongkong Post e-Cert CA 1 - 15" respectively > >

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On Wed, Aug 17, 2016 at 10:22:13AM +0200, Kurt Roeckx wrote: > On 2016-08-17 00:23, Ryan Sleevi wrote: > >Practically speaking, what steps could be taken? > > 6) Ask them to immediately stop issuing SHA-1 based certificates that chain > back to any of the root certificates in the Mozilla root

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On 2016-08-17 00:23, Ryan Sleevi wrote: Practically speaking, what steps could be taken? 6) Ask them to immediately stop issuing SHA-1 based certificates that chain back to any of the root certificates in the Mozilla root store, and revoke the one they shouldn't have issued. If they fail to

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On Tue, Aug 16, 2016 at 10:22:36PM -0700, ma...@certizen.com wrote: > and have been issuing SHA-256 SSL certificates under "Hongkong Post e-Cert > CA 1- 14" and "Hongkong Post e-Cert CA 1 - 15" respectively "respectively" in what sense? > This certificate is a client certificate issued to a

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

On Tuesday, August 16, 2016 at 11:53:24 AM UTC-7, Kathleen Wilson wrote: > Our understanding: "The real problem here is that the issuing > certificate is using sha-1 with predictable serial numbers. ... If a > chosen-prefix attack on sha-1 were discovered... an attacker could use > this CA to

Hongkong Post recently issued SHA1 cert that could be used in TLS

All, It has come to our attention that Hongkong Post has recently issued a SHA1 cert that can be used in TLS/SSL. https://bugzilla.mozilla.org/show_bug.cgi?id=1267332#c3 The certificate was signed by the "Hongkong Post e-Cert CA 1 - 10" intermediate certificate. From the CA: "This