On Tuesday, 21 January 2020 09:43:53 UTC-5, [email protected] wrote: > About 24 hours ago, this gist was published to Github: > > https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9 > > It details two publicly-trusted certificates whose private keys are present > in publicly-available Netgear firmware images. > > One - which appears to remain valid at time of writing - is an OV certificate > for "routerlogin.com" and variants, which was issued to Netgear by Entrust, > https://crt.sh/?id=1955992027 > > ===== > > The other, issued by Sectigo/Comodo for "mini-app.funjsq.com" ( > https://crt.sh/?id=615809732 ) seems to have been revoked not long after > publishing. > > Although it has been revoked, I am still personally curious as to how and why > Netgear came to be in possession of that latter certificate's private keys in > the first place. If funjsq knowingly provided it to Netgear, a closer look at > other funjsq-related certificates might be in order. (And if they did not, > obviously, there was a deeper and more serious failure somewhere.) > > There are a number of certificates issued for funjsq.com subdomains, from a > few different CAs: https://crt.sh/?q=funjsq.com > > One certificate, although it is expired, piqued my interest when I first saw > it: https://crt.sh/?id=325345427 for "asus-plugin.funjsq.com". This subdomain > is apparently active, though it is presently served using funjsq's wildcard > cert. > > -NK
On January 20th at approximately 10:30 am AM EST, Entrust Datacard was notified by a third party regarding an exposed private key for a certificate that we had issued to one of our customers. A third party report incident report has been published here (the same link that was included in the original post to this thread): https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9 In accordance with our CPS, we immediately contacted the customer to notify them that the certificate must be revoked within 24 hours from the time of notification to Entrust. The certificate was revoked on January 21st at 10:24 am EST within the 24-hour time frame. Here is a CT record for the certificate in question which now shows the OCSP status as revoked: https://crt.sh/?id=1955992027 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
