A critical vulnerability in the Saltstack configuration management software that was discovered in March by the F-Secure company was recently used for widespread attacks. Among the affected hosts was one of the Certificate Transparency logs operated by DigiCert.

The attackers had access to the private key of the CT2 log. According to DigiCert, other logs operated by the company were not affected.

The Google Chrome browser requires two so-called signed certificate timestamps (SCTs) for every valid TLS certificate. These SCTs have to come from different logs. Therefore, in a case like this in which one log is compromised, there is always a second SCT that is unaffected.

Devon O’Brien explained Google’s response to this incident. Certificates can have SCTs embedded or they can be delivered via TLS extensions or OCSP. For cases in which the SCTs from the compromised CT2 log are embedded, Chrome will continue to accept the certificates with SCTs from this log if they were issued before the incident. However, certificates that deliver their SCTs via TLS extensions or OCSP need to get a new SCT from a different log if they relied on the compromised log.

Source: Feisty Duck

DigiCert acquired Symantec’s scroungy PKI business in 2017. See here for details. I still cannot believe Symantec found some dumbass to buy their shit. Un-fucking-believable!

  • About

    Destabilizing cishetero amatonormativity. Providing disruption as a service. Once you know the way, you see it in all things. Unless you puke, faint or die, keep going. Also we never asked for this. I̸͝t̸̑ ̵̽i̷͗s̶͐ ̵͝a̶͒l̷ ͍r̷ ̗͕e̵͑a̶͌d̸̄y̷̚ ̶̀ ͓͑t̷̚ô̶o̸ ̥ ̶́ ̡l̷͝a̶̽t̵͒ė̶.̸ ̋͑

  • Got something interesting?

    You think you got something which should be on this site? Then contact us. You want something removed from this site, because you think it should not be here? Then go fuck yourself. This is a free website. Free as in freedom. It tolerates every opinion from everyone. However, it does not tolerate things which are illegal according to the Swiss legislation.

  • Disclaimer

    We cannot be held responsible for any kind of direct, indirect or consequential damages caused by the stuff and or opinions we provide here. Use this on your own risk. Don’t blame us if something goes wrong or totally messes up your machine, your life or whatever. If this is unacceptable for you then go away and never come back again. Thank you!