Geotrust/Symantec has revoked all SSL certificates for .pw domains

157 点作者 afreak超过 9 年前

13 条评论

flashman超过 9 年前

Could this be anything like the DigiNotar hack?[0]If it came out that Symantec's certificate authority was used to issue fraudulent certificates, the damage to their business could be in the hundreds of millions. What if the silence is because Symantec is trying to figure out the best way to break the news to us?Edit: After a bit more reading, Symantec has some history of monitoring .pw for malware and spam.[1][2][3] Perhaps someone just decided they wanted nothing more to do with PW issuer Directi, which apparently has a poor reputation.[4][0]<a href="https://en.wikipedia.org/wiki/DigiNotar" rel="nofollow">https://en.wikipedia.org/wiki/DigiNotar</a>[1]<a href="http://www.symantec.com/connect/blogs/rise-pw-urls-spam-messages" rel="nofollow">http://www.symantec.com/connect/blogs/rise-pw-urls-spam-mess...</a>[2]<a href="http://www.symantec.com/connect/blogs/pw-hit-and-run-spam-royal-baby-trend" rel="nofollow">http://www.symantec.com/connect/blogs/pw-hit-and-run-spam-ro...</a>[3]<a href="http://www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise" rel="nofollow">http://www.symantec.com/connect/blogs/rig-exploit-kit-used-r...</a>[4]<a href="http://www.jl.ly/Email/palau.html" rel="nofollow">http://www.jl.ly/Email/palau.html</a>

评论 #10184337 未加载

Animats超过 9 年前

This is strange. An entire TLD? Symantec hasn't issued an announcement. There's nothing on the CA/Browser Forum mailing list. Nothing on the Symantec Security Response Blog. Nothing on Symantec's Twitter feeds.Symantec stopped issuing certs in .PW six days ago, according to a blog post.[1] But there appears to have been no public announcement. Even if there was a major security breach justifying this, Symantec has botched the revocation and has lost much trust.[1] <a href="https://www.reddit.com/r/sysadmin/comments/3j9iyk/just_a_heads_up_symantec_is_cancelling_ssl/" rel="nofollow">https://www.reddit.com/r/sysadmin/comments/3j9iyk/just_a_hea...</a>

评论 #10190022 未加载

jpatokal超过 9 年前

For everybody else who was wondering, .pw is Palau, a tiny island nation (pop. 17k) in Micronesia:<a href="https://en.wikipedia.org/wiki/.pw" rel="nofollow">https://en.wikipedia.org/wiki/.pw</a>And apparently its sole decent hotel is smart enough to use a .com instead:<a href="http://www.palauppr.com/default-en.html" rel="nofollow">http://www.palauppr.com/default-en.html</a>

评论 #10183668 未加载

评论 #10183537 未加载

0x0超过 9 年前

The current CA PKI system is pure madness. Everyone in the CA club can issue certificates for anything - and you are at their mercy for not revoking. And what's worse, even if you pick a decent vendor, you can't prevent shadier outfits from also issuing parallel certs. :(

评论 #10184570 未加载

评论 #10183418 未加载

评论 #10183671 未加载

评论 #10184219 未加载

MichaelGG超过 9 年前

Why on earth should any CA be getting involved in what a site hosts? They need to validate ownership and stop.

评论 #10183553 未加载

评论 #10183676 未加载

评论 #10183457 未加载

jqm超过 9 年前

"But here's the thing: why did Geotrust just go ahead and revoke the certificates for all .PW domains without any warning?"Why indeed? My first notice of this was a client unable to use the app even though the cert was issued less than 6 months ago and was a 2 year cert. Like the author I also initially thought client configuration issue until I tried.I contacted the reseller who didn't have an answer right off the bat but had to contact Geotrust. After 15 minutes of fooling around I got an answer and a refund. So yes, they issued me a refund. Great. My clients had downtime. I had to drop what I was doing "right then" and install new certs. Finally I had to walk clients through clearing old certs from their browser as they were getting the scary "Untrusted!" popup. Fortunately this is a private app for a specific client so there weren't a bunch of calls.Geotrust's handling of this was ridiculous. No email, no notification... I'll certainly never get a cert from then again over this incident.

评论 #10183644 未加载

Aldo_MX超过 9 年前

Let's encrypt it's starting to issue the first certificates[1].Hopefully dealing with bad CAs will be a thing of the past.[1] <a href="https://letsencrypt.org/2015/08/07/updated-lets-encrypt-launch-schedule.html" rel="nofollow">https://letsencrypt.org/2015/08/07/updated-lets-encrypt-laun...</a>

kordless超过 9 年前

I think DNS signing authorities are a bunch of outlaws. They charge for trust, yet don't establish it themselves.

daurnimator超过 9 年前

Btw, can someone explain to me how revocation interacts with certificate pinning?

评论 #10183464 未加载

bcoates超过 9 年前

I've had issues with other registrars revoking certificates for questionable reasons (i.e., any reason other than obvious loss of control of the private key).Is there a "bulletproof" registrar that doesn't revoke? If my client loses thousands of dollars per day of downtime I'm sure they'd be willing to pay through the nose for it.I understand the reasons for having a revocation system but it's often not a benefit to me on balance-of-risks basis.

评论 #10183616 未加载

评论 #10184782 未加载

Animats超过 9 年前

Is this for real? All we have is one unknown blogger, Colin Keigher, picked up by other sources. It's Tuesday afternoon, so everyone is back at work. A takedown of an entire TLD should have hit news sources and major security blogs by now. I'm not seeing anything other than echos of the original blog post. It hasn't even come up on the CA/Browser forum mailing list or security blogs.

kruhft超过 9 年前

I just developed a browser to server based crytpo channel meant to replace the SLL certificate mess on a side project I'm working on. I know that there's a bad rap for browser based crytpo and rolling your own but I've got some knowledge and thought I would give it a shot.The code is not public (yet) but uses DH key exchange (using the JS BigInt library) to exchange a 2048 bit token key and then uses sjcl to perform encryption on each packet/request using the resulting key.It's lacking host validation (am I talking to the correct server?), but I'm still working getting that piece together.

评论 #10183665 未加载

mahouse超过 9 年前

I don't know who thought that having the possibility of revoking certificates was a good idea, especially when that possibility is controlled by CAs

评论 #10183759 未加载

13 条评论

flashman超过 9 年前

评论 #10184337 未加载

Animats超过 9 年前

评论 #10190022 未加载

jpatokal超过 9 年前

评论 #10183668 未加载

评论 #10183537 未加载

0x0超过 9 年前

评论 #10184570 未加载

评论 #10183418 未加载

评论 #10183671 未加载

评论 #10184219 未加载

MichaelGG超过 9 年前

Why on earth should any CA be getting involved in what a site hosts? They need to validate ownership and stop.

评论 #10183553 未加载

评论 #10183676 未加载

评论 #10183457 未加载

jqm超过 9 年前

评论 #10183644 未加载

Aldo_MX超过 9 年前

kordless超过 9 年前

I think DNS signing authorities are a bunch of outlaws. They charge for trust, yet don't establish it themselves.

daurnimator超过 9 年前

Btw, can someone explain to me how revocation interacts with certificate pinning?

评论 #10183464 未加载

bcoates超过 9 年前

评论 #10183616 未加载

评论 #10184782 未加载

Animats超过 9 年前

kruhft超过 9 年前

评论 #10183665 未加载

mahouse超过 9 年前

I don't know who thought that having the possibility of revoking certificates was a good idea, especially when that possibility is controlled by CAs

评论 #10183759 未加载