A critical vulnerability in the Saltstack configuration management software that was discovered in March by the F-Secure company was recently used for widespread attacks. Among the affected hosts was one of the Certificate Transparency logs operated by DigiCert.
The attackers had access to the private key of the CT2 log. According to DigiCert, other logs operated by the company were not affected.
The Google Chrome browser requires two so-called signed certificate timestamps (SCTs) for every valid TLS certificate. These SCTs have to come from different logs. Therefore, in a case like this in which one log is compromised, there is always a second SCT that is unaffected.
Devon O’Brien explained Google’s response to this incident. Certificates can have SCTs embedded or they can be delivered via TLS extensions or OCSP. For cases in which the SCTs from the compromised CT2 log are embedded, Chrome will continue to accept the certificates with SCTs from this log if they were issued before the incident. However, certificates that deliver their SCTs via TLS extensions or OCSP need to get a new SCT from a different log if they relied on the compromised log.Source: Feisty Duck
DigiCert acquired Symantec’s scroungy PKI business in 2017. See here for details. I still cannot believe Symantec found some dumbass to buy their shit. Un-fucking-believable!