Re: Security concerns with the e-Tugra certificate authority

Hi Kurt, FWIW, these Root CA certificates have not been accepted into the Apple Root Program. Cheers, -Clint > On Jun 2, 2023, at 10:03 AM, 'Kurt Seifried' via CCADB Public > wrote: > > I'm curious, can we get any information from the other major browser vendors > as to whether or not they

Re: Security concerns with the e-Tugra certificate authority

I'm curious, can we get any information from the other major browser vendors as to whether or not they are removing these certificates, and if not why not? Thanks! On Fri, Jun 2, 2023 at 6:17 AM Ryan Dickson wrote: > All, > > We’d like to extend our appreciation to Ian Carroll for reporting this

Re: Security concerns with the e-Tugra certificate authority

All, We’d like to extend our appreciation to Ian Carroll for reporting this issue to us, and for Ian’s continued availability during the incident’s discussion (both here and on Bugzilla). After full consideration of the available information related to the vulnerabilities disclosed at https://ian

Re: Security concerns with the e-Tugra certificate authority

Kathleen, Thanks for the update it is appreciated. Ryan On Tue, Feb 28, 2023 at 10:59 AM Kathleen Wilson wrote: > On Sunday, February 26, 2023 at 1:22:39 AM UTC-8 ryan@gmail.com wrote: > > > This thread and associated bug have been silent for an > uncharacteristically long time, and I am c

Re: Security concerns with the e-Tugra certificate authority

On Sunday, February 26, 2023 at 1:22:39 AM UTC-8 ryan@gmail.com wrote: This thread and associated bug have been silent for an uncharacteristically long time, and I am curious as to when this issue will be closed. [Kathleen] I added https://bugzilla.mozilla.org/show_bug.cgi?id=1801345#c19 A

Re: Security concerns with the e-Tugra certificate authority

On Sun, Feb 26, 2023 at 2:22 AM Ryan Hurst wrote: > > This thread and associated bug have been silent for an > uncharacteristically long time, and I am curious as to when this issue will > be closed. > > > Furthermore, I would like to understand what changes will be put into > place to clarify ap

Re: Security concerns with the e-Tugra certificate authority

This thread and associated bug have been silent for an uncharacteristically long time, and I am curious as to when this issue will be closed. Furthermore, I would like to understand what changes will be put into place to clarify appropriate incident handling behavior. It is important that Mo

Re: Security concerns with the e-Tugra certificate authority

Ian Carroll writes: >There are many statements about M of N, HSM access, etc which do not appear >to be relevant to this issue. That's not specific to e-Tughra though, that's standard for CAs where what gets audited is all the fancy security mechanisms around the CA's private key(s) and what bar

Re: Security concerns with the e-Tugra certificate authority

E-Tugra posted a decent reply to the incident report at https://bugzilla.mozilla.org/show_bug.cgi?id=1801345. I don't have a Bugzilla account and think it would be more appropriate to respond to it here. In general, the timeline they have shared is inspiring, and it is good that they took swift

Re: Security concerns with the e-Tugra certificate authority

Two simple questions that desperately need answers: 1) Does E-Tugra have specific controls in place to ensure systems deployed to production are secured (e.g. default accounts disabled or changed)? 2) If #1 is sufficient, how and why did they fail? If #1 is not sufficient why is it missing such fu

Re: Security concerns with the e-Tugra certificate authority

Hi Ian Carroll, We are working with several internal teams to get their feedback and analysis on the reported problems. We are compiling a detailed report based on feedback from each team before we publish it. We hope that we will able to complete this activity within a week time. On Saturday

Re: Security concerns with the e-Tugra certificate authority

In the E-Tugra incident report, they state: > Only three documents related to some users' (non SSL) agreements are accessed by the reporter. I just want to clarify that this issue impacted 251,230 uploaded user documents, as shown in their administrative panel , as we

Re: Security concerns with the e-Tugra certificate authority

Hi, We really appreciate the efforts of the reporter in identifying some security issues. At the same time, we are also glad that our customer facing SSL ecosystem is secure and hence not vulnerable to security threats. It is our internal ecosystem, deploying some other applications than our

Re: Security concerns with the e-Tugra certificate authority

In my personal capacity, as I review the published facts that exist here, there are a few broad things from a BR perspective that stand out to me: - All CAs are required to have incident response and compromise handling procedures. The timeline presented in Ian’s post suggests th

Re: Security concerns with the e-Tugra certificate authority

*Hi,We really appreciate the efforts of the reporter in identifying some security issues. At the same time, we are also glad that our customer facing SSL ecosystem is secure and hence not vulnerable to security threats.It is our internal ecosystem, deploying some other applications than our

Re: Security concerns with the e-Tugra certificate authority

The major issues mentioned in the post are resolved after I notified e-Tugra of them. It is important to note that I did not perform an extensive amount of testing of e-Tugra’s systems, given I do not speak Turkish and I found enough issues as it is. Until e-Tugra undertakes a comprehensive securi

Re: Security concerns with the e-Tugra certificate authority

I agree that something should be done swiftly. If you did this, who else could have. Also, has the authority been notified, and have they simply changed the passwords yet? Ie could a threat actor watching this list now go there and get into the system after the disclosure On Thursday, November

Re: Security concerns with the e-Tugra certificate authority

On Thu, Nov 17, 2022 at 2:59 PM ke ju wrote: > I agree that something should be done swiftly. If you did this, who else > could have. Also, has the authority been notified, and have they simply > changed the passwords yet? Ie could a threat actor watching this list now > go there and get into the

Re: Security concerns with the e-Tugra certificate authority

Normally I would say e-Tugra needs to reissue all their certificates or like in this case; it would appear they need to reestablish that the certificates were issued properly, which means having all their customers re-create them, establish domain validation, etc. But in this case, I think it's so

Security concerns with the e-Tugra certificate authority

Hi there, Today I published a blog post at https://ian.sh/etugra, describing several serious security issues I discovered in the e-Tugra certificate authority. I was able to obtain access to two e-Tugra administrative systems using default passwords, which disclosed numerous amounts of subscrib