Issue metadata
Sign in to add a comment
|
Security: Trusted C.A. is issuing irregular TLS certificates
Reported by
r...@rme.li,
Dec 28 2016
|
||||||||||||||||||||||
Issue descriptionThe Certification Authority called "C=ES, O=FNMT, OU=FNMT Clase 2 CA" is currently in Microsoft Trusted Root Certificate so its being trusted in Chrome under Windows. This CA is issuing irregular X.509 certificates thus breaking CA/Browser forum rules. Instance 1: "FNMT Clase 2 CA" issues a cert for an internal domain. (CN=auditor.intranet.gc) .gc is not a TLD SHA-256: e5757f28a974675950fd2f76b7633811c86f60b6528644ec1dc81a7465980a7f SHA-1: e2cf71d52334e355006aa911aa69d158b237dd09 Issue date: Feb 9 16:45:50 2016 CA/Browser Forum Baseline Requirements: "the CA shall not issue a certificate with an Expiry Date later than 1 November 2015 with a SAN or Subject Common Name field containing a Reserved IP Address or Internal Server Name. As from 1 October 2016, CAs shall revoke all unexpired Certificates" This cert is logged in a Certificate Transparency log here: https://censys.io/certificates/e5757f28a974675950fd2f76b7633811c86f60b6528644ec1dc81a7465980a7f https://crt.sh/?id=13283681
,
Dec 28 2016
,
Dec 28 2016
Thanks for reporting this. I'm going to close this bug as WontFix, because we won't be using it to track further steps. However, I have notified Mozilla ( https://bugzilla.mozilla.org/show_bug.cgi?id=435736#c169 ) of this, as they are pending trusting this root. Chrome users are protected from any immediate attacks on this, as it does not trust certificates for intranet domains issued by publicly trusted roots. Removing Restrict-View on this, given the public discoverability of this. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by meacer@google.com
, Dec 28 2016Components: Internals>Network>SSL