- Adbot
-
ADBOT LOVES YOU
|
|
#
?
May 5, 2024 23:24
|
|
- infernal machines
- Oct 11, 2012
-
we monitor many frequencies. we listen always. came a voice, out of the babel of tongues, speaking to us. it played us a mighty dub.
|
pleased to see Ligma Certificate Authority and Burger Barn, LLC recognized
|
#
?
Apr 23, 2024 21:36
|
|
- post hole digger
- Mar 21, 2011
-
|
pleased to see Ligma Certificate Authority and Burger Barn, LLC recognized
|
#
?
Apr 23, 2024 21:39
|
|
- Antigravitas
- Dec 8, 2019
-
Die Rettung fuer die Landwirte:
|
Getting serious Honest Entrust's Used Cars and Certificates vibes tbh.
|
#
?
Apr 23, 2024 21:45
|
|
- Winkle-Daddy
- Mar 10, 2007
-
|
unrelated:
ok wait I’m hearing that the Palo vuln that destroyed the world is a loving ../ traversal bug in HTTP handling?
for real? for real real?
I reviewed access logs in TYOOL 2023 that showed some site was owned via url injection on a loving download.php file lmao -- the fact it wasn't popped in like 2014 was what impressed me most. it turns out that while technology may not be cyclical, vulnerabilities are.
|
#
?
Apr 23, 2024 22:43
|
|
- post hole digger
- Mar 21, 2011
-
|
I reviewed access logs in TYOOL 2023 that showed some site was owned via url injection on a loving download.php file lmao -- the fact it wasn't popped in like 2014 was what impressed me most. it turns out that while technology may not be cyclical, vulnerabilities are.
GAI solves this.
|
#
?
Apr 23, 2024 22:49
|
|
- akadajet
- Sep 14, 2003
-
|
this is a battle that was fought and lost a long time ago. our model requires technicians to be able to install diagnostic software, etc for the equipment they service at client sites.
Admin by request was the compromise so they are at least aren’t running as local admin all the time.
it’s a hell of a lot better than what used to happen, which was domain users automatically added to the local admin group via group policy.
I trialed admin by request for my it dept and it was a huge piece of poo poo
|
#
?
Apr 23, 2024 22:51
|
|
- Wiggly Wayne DDS
- Sep 11, 2010
-
|
there has been some movement today, noting this to make the thread readable at a future date
Entrust: Failure to revoke OV TLS - CPS typographical (text placement) error
(In reply to Ryan Dickson from comment #7)
Ryan Dickson posted:Comment 2 states:
"Our CDN statistics show that between March 22, 2024, 15:02 UTC and March 26, 2024, 17:07 UTC our CPS versions 3.18 and 3.19 were downloaded 30 times by desktop or mobile browsers, excluding Entrust networks.
- Of these 30 downloads we have been able to identify 10 downloads to specific subscribers.
- The downloads are divided over 9 unique IP addresses, one from a known subscriber, one from a known CA.
- The data likely includes downloads from Entrust employees which we have not been able to identify.
- The CPS covers the multiple certificate types we offer.
- This data indicates that the number of subscribers and relying parties that have seen this error is minimal."
Can you help me better understand this statement and how it relates to the principle expectation of a publicly-trusted CA adhering to its documented policies at all times? Also, can you share more about why this justification was offered?
One way of interpreting this statement is an attempt to justify and/or diminish non-compliance on the basis that very few people downloaded the CPS during the affected time period.
This data demonstrates the minimal impact on subscribers and relying parties contributing to the exceptional circumstances of this incident.
Ryan Dickson posted:The underlying issue with this type of justification is that it appears to downplay the fundamental expectation that a CA must adhere to its stated policies and procedures at all times. The CA/Browser Forum Baseline Requirements and other related guidelines emphasize that compliance must be continuous and is not conditional on the extent to which documented policies are accessed by external parties.
We agree that we should adhere to the requirements, this is the reason that we have filed an incident report for not following the requirement to revoke all certificates that were not issued to the letter of the CPS within five days.
Ryan Dickson posted:Fundamentally, a statement claiming that a mistake did not result in significant harm does not diminish the significance of that mistake. The principle at stake is the integrity and trustworthiness of Entrust, which is expected to uphold its commitments irrespective of the level of direct oversight or detection by others in the ecosystem.
We do believe in upholding our commitment to the requirements and our CPS, that we should be detecting these issues ourselves, which we also did for this incident. We also believe, however, that the impact to the ecosystem needs to be taken into consideration.
Ryan Dickson posted:Additionally, as stated on https://www.ccadb.org/cas/incident-report, the Action Items section is supposed to contain a list of remediation items that will be undertaken to ensure that a similar incident does not reoccur in the future and that it is not sufficient for the actions to simply stop the incident in question. What actions will prevent this from happening again? Beyond that, “Transparency" is not one of the described Action categories listed on https://www.ccadb.org/cas/incident-report.
Please see the action items and our answer to question two in bug #1890896.
exceptional circumstances!!!
there were also sizable replies to:
Entrust: CPS typographical (text placement) error
(In reply to Wayne from comment #5)
Wayne posted:I'm looking for clarity here. Entrust states that there is no intention to revoke but cite no authority overriding their obligations.
The issue was noted internally at Entrust on 2024-03-26, but it took 16 days before any public notice appeared. We're still lacking any real information on what happened internally.
Please see bug #1890901 in which we filed for this delayed incident report.
We uphold a commitment to full transparency with the public, and we appreciate your inquiry regarding any uncertainties in this regard. Please feel free to express any concerns or questions you may have, as we strive to ensure clarity and openness in all our communications.
Wayne posted:Q1) Can you document what caused Entrust to start revocation for a day, and then stop?
We have never started or requested customers to revoke certificates in relation to this incident, but certificates are sometimes revoked by customers for other reasons. Except for one, all certificates you listed above belong to one customer. This customer was also impacted by our other incident, and they might have decided to revoke these certificates as well.
Wayne posted:Q2) Can Entrust provide us with a breakdown of outstanding mis-issued certificates, expired certificates, revoked certificates, and a timeframe for each revocation batch (time issued to team, time taken to revoke)?
As stated above, in the impact section of this incident report, this incident involves 6,008 OV TLS certificates that were issued between March 22, 2024, 15:02 UTC and March 26, 2024, 17:07 UTC, a list with links to the certificates has been attached to this bug. In the summary above, we describe why we are not revoking these certificates.
Wayne posted:Q3) What internal discussions occurred at Entrust to change this approach?
Per our response to Q1, we have not changed our approach to revocation in relation to this incident.
Wayne posted:Q4) Did Entrust privately inform any Root Programs of this incident prior to this public report?
While we have spoken with some root programs about the delayed CPS publication, this specific incident has not been discussed.
Wayne posted:Q5) Will there be any additional revocations as required?
We do not intend to revoke these certificates, see also bug #1890898.
Wayne posted:Q6) Can Entrust please explain why they feel they feel they are under no obligation to abide by their own CPS for certificate mis-issuance revocation? The report does not explain what authorities they are relying on.
Please see bug #1890898.
Wayne posted:Q7) Having read Entrust's CPS I can see no mechanism for 'exceptional circumstances' to avoid revocation. Could Entrust clarify where this is as it has been a common theme throughout these incidents?
The Mozilla Wiki describes that there are some exceptional circumstances where revoking the affected certificates within the prescribed deadline may cause significant harm and that the CA is ultimately responsible for deciding if the harm caused by not following the requirements of the Baseline Requirements outweighs the risks that are passed on to individuals who rely on the web PKI.
Neither delayed revocation nor non-revocation is described in the TLS Baseline Requirements.
Wayne posted:Q8) If there will be an update to Entrust's CPS to carve out exceptional circumstances, I trust that there is an understanding that this is not applied retroactively?
We share this understanding.
Wayne posted:Q9) Given the issues in the past month, can Entrust confirm that they are technically capable of mass revocation and reissuance within 24 hours?
Yes.
Wayne posted:Q10) Given the issues in the past month, can Entrust confirm that they are organizationally capable of approving a mass revocation and reissuance event within 24 hours?
Yes, we are.
lot of digging a hole which we'll get into later
(In reply to Ryan Dickson from comment #6)
Ryan Dickson posted:Comment 3 states: "Regarding the action, today subscribers were informed of the CPS changes."
Question 1) Can you share more about this, specifically describing what was communicated to subscribers and how?
Ryan Dickson posted:It's possible to interpret "Regarding the action, today subscribers were informed of the CPS changes." (i.e., "Today, we told subscribers that we updated our CPS.") differently than "Inform subscribers of the CPS error" ("i.e., "We made a mistake.") as described in the Actions table.
We think that the message “errata have been added to CPS releases 3.16, 3.18 and 3.19” is a clear indication that there was an error in these versions.
It was not clear that we were limited to the categories included in the following paragraph.
CCADB Incident Report posted:A classification of whether the action will help Prevent future incidents, Mitigate the impact of future incidents, or Detect future incidents. CA Owners are encouraged to propose action items in all three categories, with an emphasis on prevention and mitigation.
We think that the Transparency action items we included do not fit in any of the listed categories, can you let us know if you want us to post an updated table with these action items or categories removed?
Ryan Dickson posted:Question 3) Looking at one of the CPS documents with an errata (example), I'm having a hard time understanding what is being communicated. Other than the (non-text searchable) phrase "This CPS contains an errata, please see version 3.20" it's not clear what the errata was, what changes were made, or what issues were being addressed.
We included the errata as a PDF comment so that we do not change the original published CPS version. The text "and must contain policyQualifier with cPSuri" on page 85 has been formatted with a red strikethrough, to clearly indicate that this was included as an error.
Ryan Dickson posted:Can you share how this approach meets the intent of "Add errata to CPS version 3.18 and 3.19 to advise readers of the changes?" as described in the Actions table? Also, was adding the errata notice using an image that is not text-searchable intended? The combination of the non-text searchable phrase and the lack of detail make it challenging to understand what the errata has changed or intends to highlight - which does not clearly convey the intended goal of "Transparency" as presently described in the Actions list.
As stated above, the errata were added as a PDF comment, not as an image but as text, so that everyone can verify that we did not modify anything else in the CPS. In Acrobat Reader the comments are searchable and hyperlinked through a list. That stated, we are open to further improvements if you or the community think that would help subscribers and relying parties.
Ryan Dickson posted:The ease of detecting changes across policy versions was a motivating factor for encouraging the use of Markdown as described in the latest version of the Chrome Root Program policy (i.e., "To promote simplicity and clarity, these CA policy documents SHOULD be available in Markdown.")
We are aware of the recent Chrome root program desire to use Markdown for CPS documents. This is something we would like to move forward with in the future but is not a small undertaking.
digging even deeper, but amir gets in a quick reply:
Bruce Morton posted:The Mozilla Wiki describes that there are some exceptional circumstances where revoking the affected certificates within the prescribed deadline may cause significant harm and that the CA is ultimately responsible for deciding if the harm caused by not following the requirements of the Baseline Requirements outweighs the risks that are passed on to individuals who rely on the web PKI.
I don't think you're reading the link you're posting here? Specifically (emphasis mine):
Mozilla Root Program Requirements posted:The decision and rationale for delaying revocation will be disclosed in the form of a preliminary incident report immediately; preferably before the BR-mandated revocation deadline. The rationale must include detailed and substantiated explanations for why the situation is exceptional. Responses similar to “we do not deem this non-compliant certificate to be a security risk” are not acceptable. When revocation is delayed at the request of specific Subscribers, the rationale must be provided on a per-Subscriber basis.
Also, that link is JUST the Mozilla Root Program. Is there anything in the Chrome/Apple/Microsoft Root Programs that carves out exceptions for revocation?
and for avoiding this being illegible i'll only include my replies to Bruce and not the context, see the link for that
In the interest of openness and transparency this was based on a brief sampling of certificates and a more thorough report was produced and posted to the dev-security-policy mailing list (pending approval). I apologize for misunderstanding this as Entrust complying with the Baseline Requirements if but for only a brief period of time.
However in short: You have not answered my question at all. I am well aware of the 6,008 OV TLS certificates mentioned. Are Entrust willing to be transparent and provide a breakdown on: "'outstanding mis-issued certificates', 'expired certificates', 'revoked certificates'" in respect to this issue?
...
I am not seeing an answer to my question in that bug.
...
Unfortunately as amir has pointed out that is not what the Mozilla Root Program states. Additionally you are correct, delayed revocation nor non-revocation are not described in the TLS Baseline Requirements. To that end, what authorities are you relying on to reach your current understanding that such possibilities exist while being compliant?
...
I will note that this does not add up to the current pace at which Entrust is handling incidents. Please see the dev-security-policy mailing list for further detail shortly.
Post is pending approval and is an updated (and more professional) version of the CRL post with a focus on transparency and investigating an ongoing issue with a non-compliant CA.
still can't get over 'These errata have no impact on your certificate', i'm still not convinced they realise just how deep a grave they're digging
|
#
?
Apr 23, 2024 23:29
|
|
- shackleford
- Sep 4, 2006
-
|
if you'll recall a mentioned a few days ago that entrust's contact info on ccadb is out of date.
so i may have been kind and lobbed a softball to entrust to get them to lower their guard over the weekend, and it's worked:
this was the only thing entrust responded to yesterday presumably given it seemed so innocent, anyway sectigo noticed:
thanks sectigo
thectigo
lmao the softball was actually a live grenade
|
#
?
Apr 23, 2024 23:50
|
|
- Methylethylaldehyde
- Oct 23, 2004
-
BAKA BAKA
|
still can't get over 'These errata have no impact on your certificate', i'm still not convinced they realise just how deep a grave they're digging
"I will note that this does not add up to the current pace at which Entrust is handling incidents. Please see the dev-security-policy mailing list for further detail shortly."
I can't wait for you to emptyquote it at them in 2 weeks when they gently caress the dog again and end up having to pretend they never said those words to avoid being forced to eat them.
|
#
?
Apr 24, 2024 00:01
|
|
- Farmer Crack-Ass
- Jan 2, 2001
-
this is me posting irl
|
i'll run the wiki
|
#
?
Apr 24, 2024 01:28
|
|
- SeaborneClink
- Aug 27, 2010
-
MAWP... MAWP!
|
maybe we’re going about this all wrong. perhaps we should just start a CA and be lovely at our jobs and rake it in for years
I said this earlier and got threatened with a probe
edit: it would require intentional effort to be worse at it than some active CAs
SeaborneClink fucked around with this message at 01:32 on Apr 24, 2024
|
#
?
Apr 24, 2024 01:30
|
|
- psiox
- Oct 15, 2001
-
Babylon 5 Street Team
|
you could probably automate the special pleading about how the requirements are wrong and your customers are special with an LLM, anyway
|
#
?
Apr 24, 2024 01:40
|
|
- psiox
- Oct 15, 2001
-
Babylon 5 Street Team
|
what went well:
quote:
In addressing the concerns regarding our handling of the recent certificate issuance incident, we must first acknowledge the complexity and unprecedented nature of the challenges we faced. Throughout this process, our team has been steadfast in its commitment to maintaining service continuity and ensuring minimal disruption to our stakeholders. Despite our rigorous protocols and the dedicated efforts of our team, some certificates were issued that did not meet our usual standards of excellence.
We understand the importance of adherence to best practices and the expectations of our community. It is imperative to recognize that the decision-making framework at the time was based on a comprehensive analysis of the situation, prioritizing the integrity of the infrastructure and the broader implications of a mass revocation.
We are currently undertaking a thorough review of our systems and processes to better understand the root causes and to identify opportunities for improvement. This includes enhancing our monitoring capabilities and revising our incident response strategies to better manage and mitigate such incidents in the future.
Your feedback is invaluable to us as we continue to strive for excellence in our operations. We are committed to learning from this experience and to making the necessary adjustments to prevent recurrence, ensuring the reliability and trustworthiness of our services moving forward.
|
#
?
Apr 24, 2024 01:43
|
|
- MononcQc
- May 29, 2007
-
|
“Best practices” is often just a stand-in for whatever norms people have established within an org. If the norms are bad, the best practices might be as well.
|
#
?
Apr 24, 2024 03:25
|
|
- Adbot
-
ADBOT LOVES YOU
|
|
#
?
May 5, 2024 23:24
|
|
- NFX
- Jun 2, 2008
-
-
Fun Shoe
|
I have a question about certificate transparency logs. as far as I can tell CAs only need to submit a pre certificate to the log, and that's what they usually do (according to wayne's comment some pages back).
what mechanism ensures that the CA then issues a certificate that matches the pre-cert? as far as I can tell that's entirely up to the client?
I suppose there's no other place to put the responsibility (and a cert that's never seen by a client is pointless anyway, regardless if it's malicious or not), but it seems like something that could be prevented by requiring the issued cert to be logged
|
#
?
Apr 24, 2024 06:22
|
|